Security Vulnerability Response

Learn more about how we rate and resolve security vulnerabilities in our products.

Overview

Strivacity uses the NIST CVSS (Common Vulnerability Scoring System) to rate the vulnerabilities that we find and that are reported to us. CVSS establishes a common vernacular that we can use to discuss security issues internally and externally with our customers and enables us to determine when we’re going to resolve any vulnerabilities.

The table below shows the classification of the severity of the vulnerability relative to its CVSS score.

Classification

CVSS Score

Critical

9.0 - 10.0

High

7.0 - 8.9

Medium

4.0 - 6.9

Low

3.9 or below

Resolution Timelines

The resolution timelines of a vulnerability depend upon its classification, i.e., the severity of the vulnerability. Strivacity calculates these timeframes and determines the release vehicles from the date that the vulnerability has been confirmed as a true positive by our security team.

Classification

CVSS Score

Resolution Time (up to)

Release Vehicle

Critical

9.0 - 10.0

7 days

Hotfix to existing deployments, and an incremental product release for any new deployments/customers.

High

7.0 - 8.9

14 days

Hotfix to existing deployments, and an incremental product release for any new deployments/customers.

Medium

4.0 - 6.9

30 days

The next future scheduled product release.

Low

3.9 or below

A future scheduled product release determined by Strivacity

A future scheduled product release at Strivacity’s discretion.

Backporting Policy

For any standalone or on-premises components we will backport any hotfixes (for High and Critical classified vulnerabilities) for any currently supported version of the product. The backporting of hotfixes beyond supported product versions is on customer request basis.