| Excerpt | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||
In case of a security vulnerability emergency issue, please contact DigitalRoute through our support channels. DigitalRoute may reach out to the reporter to gather additional details required to recreate the issue. If a vulnerability is confirmed, then the following policy will take effect immediately.
|
Severity | CVSS | Description | Fix information | Time to provide temporary fix | Time to provide an official fix |
|---|---|---|---|---|---|
Critical | 9.0-10.0 | Security Vulnerability has a direct Customer impact or may reveal sensitive system or Customer information. | Release notes (if applicable, security bulletin, knowledge base article, or any other appropriate notification method) | 10 calendar days | 30 calendar days |
High | 7.0–8.9 | Security Vulnerability does not directly impact Customers or Customer data, but still significantly affects system security. | Release notes | 30 days | Next minor release if Temporary Fix is available, otherwise 3 months |
Medium | 4.0–6.9 | Security Vulnerability does not directly impact Customers or Customer data, and only exposes minor system details. | No | Not applicable | Next Major release |
Low | 0.1-3.9 | Security Vulnerability only exposes minor system details, and does not impact Customers to any significant degree | No | Not applicable | Not applicable |
The time counter starts when the Vulnerability is detected, except for a Vulnerability located on Third Party components where the time counter starts when a fix is available.
A remediation to a vulnerability may be provided in one of the following ways:
fix through a Major, Minor, or a Patch release
configuration change (manual or scripted)
document change
The remediation process may also involve a temporary mitigation, when possible, providing a temporary solution until the ultimate fix is implemented.
Third-Party Software Vulnerabilities
Every vulnerability, whether discovered by DigitalRoute or reported to DigitalRoute by an external party, undergoes a thorough evaluation. This assessment focuses on determining its severity, vulnerable aspects, overall impact, root cause, level of exploitability, and the range of affected products and their versions.
DigitalRoute evaluates the security severity rating of each identified vulnerability using a widely recognized method, currently the CVSS 3.1 framework, as it is relevant and suitable. This approach considers the vulnerability's probability, extent, and impact. In cases where a vulnerability is found in a third-party software component incorporated into a DigitalRoute product, DigitalRoute will modify the CVSS score to better represent the vulnerability's effect on their product.
Reporting
DigitalRoute will report a vulnerability to its customers when actions are required to apply the remediation. Communication regarding vulnerabilities will be conducted through various methods such as security bulletins, release notes, knowledge base articles, or other suitable forms of notification.
For DigitalRoute to label a third-party vulnerability as "high profile," it must fulfil these conditions:
Exist in a a third-party software component bundled with DigitalRoute products.
Having a minimum CVSS environmental score of 7.0.