Security Vulnerability Response
Learn more about how we rate and resolve security vulnerabilities in our products.

Overview

Strivacity uses the NIST CVSS (Common Vulnerability Scoring System) to rate the vulnerabilities that we find and that are reported to us. CVSS establishes a common vernacular that we can use to discuss security issues internally and externally with our customers and enables us to determine when we’re going to resolve any vulnerabilities.
The table below shows the classification of the severity of the vulnerability relative to its CVSS score.
Classification
CVSS Score
Critical
9.0 - 10.0
High
7.0 - 8.9
Medium
4.0 - 6.9
Low
3.9 or below

Resolution Timelines

The resolution timelines of a vulnerability depend upon its classification, i.e., the severity of the vulnerability. Strivacity calculates these timeframes and determines the release vehicles from the date that the vulnerability has been confirmed as a true positive by our security team.
Classification
CVSS Score
Resolution Time (up to)
Release Vehicle
Critical
9.0 - 10.0
7 days
Hotfix to existing deployments, and an incremental product release for any new deployments/customers.
High
7.0 - 8.9
14 days
Hotfix to existing deployments, and an incremental product release for any new deployments/customers.
Medium
4.0 - 6.9
30 days
The next future scheduled product release.
Low
3.9 or below
A future scheduled product release determined by Strivacity
A future scheduled product release at Strivacity’s discretion.

Backporting Policy

For any standalone or on-premises components we will backport any hotfixes (for High and Critical classified vulnerabilities) for any currently supported version of the product. The backporting of hotfixes beyond supported product versions is on customer request basis.
Last modified 7d ago