Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Vulnerability Management Policy
In case of a security vulnerability emergency issue, please contact DigitalRoute through our support channels. DigitalRoute may reach out to the reporter to gather additional details required to recreate the issue. If a vulnerability is confirmed, then the following policy will take effect immediately.


Purpose

DigitalRoute is committed to promptly addressing any vulnerabilities that are identified. This policy describes DigitalRoute policy for managing vulnerabilities in our products, including third-party components incorporated within these products. Note that this policy does not cover the platforms and operating systems that the products may use, connect with, or operate on if they are not included in DigitalRoute's product offerings. DigitalRoute reserves the right to modify this policy at its discretion, without prior notification.

Vulnerability Management Policy

DigitalRoute employs the Common Vulnerability Scoring System (CVSS) specifically Version 3.1, as a routine part of its procedure for assessing potential security weaknesses in its products. The CVSS framework utilizes a trio of unique metrics for evaluation, comprising of Base, Temporal, and Environmental scores. DigitalRoute will compute the Environmental score based on the affected component usage and configuration.

DigitalRoute applies the following standards to define the type of Service Level Agreement (SLA) for handling security issues. This approach involves providing details about software fixes for vulnerabilities classified as Critical and High.

Severity

CVSS

Description

Fix information

Time to provide temporary fix

Time to provide an official fix

Critical

9.0-10.0

Security Vulnerability has a direct Customer impact or may reveal sensitive system or Customer information.   

Release notes (if applicable, security bulletin, knowledge base article, or any other appropriate notification method)

10 calendar days

30 calendar days

High

7.0–8.9

Security Vulnerability does not directly impact Customers or Customer data, but still significantly affects system security. 

Release notes

30 days

Next minor release if Temporary Fix is available, otherwise 3 months 

Medium

4.0–6.9

Security Vulnerability does not directly impact Customers or Customer data, and only exposes minor system details.   

No

Not applicable

Next Major release

Low

0.1-3.9

Security Vulnerability only exposes minor system details, and does not impact Customers to any significant degree   

No

Not applicable

Not applicable

The time counter starts when the Vulnerability is detected, except for a Vulnerability located on Third Party components where the time counter starts when a fix is available.  

A remediation to a vulnerability may be provided in one of the following ways:

  • fix through a Major, Minor, or a Patch release

  • configuration change (manual or scripted)

  • document change

The remediation process may also involve a temporary mitigation, when possible, providing a temporary solution until the ultimate fix is implemented.

Third-Party Software Vulnerabilities

Every vulnerability, whether discovered by DigitalRoute or reported to DigitalRoute by an external party, undergoes a thorough evaluation. This assessment focuses on determining its severity, vulnerable aspects, overall impact, root cause, level of exploitability, and the range of affected products and their versions.

DigitalRoute evaluates the security severity rating of each identified vulnerability using a widely recognized method, currently the CVSS 3.1 framework, as it is relevant and suitable. This approach considers the vulnerability's probability, extent, and impact. In cases where a vulnerability is found in a third-party software component incorporated into a DigitalRoute product, DigitalRoute will modify the CVSS score to better represent the vulnerability's effect on their product.

Reporting

DigitalRoute will report a vulnerability to its customers when actions are required to apply the remediation. Communication regarding vulnerabilities will be conducted through various methods such as security bulletins, release notes, knowledge base articles, or other suitable forms of notification. 

For DigitalRoute to label a third-party vulnerability as "high profile," it must fulfil these conditions:

  • Exist in a a third-party software component bundled with DigitalRoute products.

  • Having a minimum CVSS environmental score of 7.0.

  • No labels