Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 3

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Vulnerability Management is the process to handle security incidents.x
  • The process includes to act in a timely manner.
  • The process includes joint action of the SOS development team and sales team.

Resources

Vulnerability Management Process

...

  • After receipt of a vulnerability report SOS sets up a Vulnerability Task Force to reproduce and to identify a reported vulnerability.
    • This includes to identify affected releases of the software product.
    • This includes to evaluate risks for a given vulnerability.
    • This step typically is completed within 24 hours after receipt of a respective report.
  • If a vulnerability is confirmed then the task force will
    • request a CVE ID from https://www.mitre.org/ and will provide the respective CVE report .that is not publicly available,
    • add a private Change Request to the Change Management System,
    • report back to the vulnerability reporter about the assigned CVE ID. This step is completed immediately after receipt of a CVE ID and depends on mitre.org response times.

...

Vulnerability Fixes

  • Fixes are implemented within the scope of the Release Policy - Change Management.
  • Fixes are provided for any branches of the software product that are under maintenance.
  • Fixes are not made publicly available with the GitHub Source Code Repositories before communication.
  • Fixes include the procedure to approve that an exploit of the vulnerability is no longer applicable.
  • For high-risk and for medium-risk vulnerabilities this steps typically is completed within five business days.

...

  • With fixes being available the following applies:
    •  DownloadsDownloads
      • Maintenance releases are published for download with the SOS web site and with SourceForge. 
      • Users should be aware that 3rd party web sites that mirror downloads of SOS software products might or might not indicate availability of maintenance releases. SOS denies any liability for accurate and timely downloads of maintenance releases available from 3rd party web sites.
    • CVE Reports
      • With downloads being available SOS asks mitre.org to make the CVE report publicly available.
    •  Notification
      • Notifications are made available with the "News" section of the SOS web site.
      Notification
      • Notifications are provided by RSS Feeds.
      • Notifications are provided via Twitter News
      • Customers who subscribe to notifications within their support option receive a notification by e-mail.
  • Fixes provided for any branches under maintenance are communicated at the same point in time.

...