In case of a security vulnerability emergency issue, please contact DigitalRoute through our support channels. DigitalRoute may reach out to the reporter to gather additional details required to recreate the issue. If a vulnerability is confirmed, then the following policy will take effect immediately.
Purpose
DigitalRoute is committed to promptly addressing any vulnerabilities that are identified. This policy describes DigitalRoute policy for managing vulnerabilities in our products, including third-party components incorporated within these products. Note that this policy does not cover the platforms and operating systems that the products may use, connect with, or operate on if they are not included in DigitalRoute's product offerings. DigitalRoute reserves the right to modify this policy at its discretion, without prior notification.
Vulnerability Management Policy
DigitalRoute employs the Common Vulnerability Scoring System (CVSS) specifically Version 3.1, as a routine part of its procedure for assessing potential security weaknesses in its products. The CVSS framework utilizes a trio of unique metrics for evaluation, comprising of Base, Temporal, and Environmental scores. DigitalRoute will compute the Environmental score based on the affected component usage and configuration.
DigitalRoute applies the following standards to define the type of Service Level Agreement (SLA) for handling security issues. This approach involves providing details about software fixes for vulnerabilities classified as Critical and High.
Severity | CVSS | Description | Fix information | Time to provide temporary fix | Time to provide an official fix |
---|---|---|---|---|---|
Critical | 9.0-10.0 | Security Vulnerability has a direct Customer impact or may reveal sensitive system or Customer information. | Release notes (if applicable, security bulletin, knowledge base article, or any other appropriate notification method) | 10 calendar days | 30 calendar days |
High | 7.0–8.9 | Security Vulnerability does not directly impact Customers or Customer data, but still significantly affects system security. | Release notes | 30 days | Next minor release if Temporary Fix is available, otherwise 3 months |
Medium | 4.0–6.9 | Security Vulnerability does not directly impact Customers or Customer data, and only exposes minor system details. | No | Not applicable | Next Major release |
Low | 0.1-3.9 | Security Vulnerability only exposes minor system details, and does not impact Customers to any significant degree | No | Not applicable | Not applicable |
The time counter starts when the Vulnerability is detected, except for a Vulnerability located on Third Party components where the time counter starts when a fix is available.
A remediation to a vulnerability may be provided in one of the following ways:
fix through a Major, Minor, or a Patch release
configuration change (manual or scripted)
document change
The remediation process may also involve a temporary mitigation, when possible, providing a temporary solution until the ultimate fix is implemented.
Third-Party Software Vulnerabilities
Every vulnerability, whether discovered by DigitalRoute or reported to DigitalRoute by an external party, undergoes a thorough evaluation. This assessment focuses on determining its severity, vulnerable aspects, overall impact, root cause, level of exploitability, and the range of affected products and their versions.
DigitalRoute evaluates the security severity rating of each identified vulnerability using a widely recognized method, currently the CVSS 3.1 framework, as it is relevant and suitable. This approach considers the vulnerability's probability, extent, and impact. In cases where a vulnerability is found in a third-party software component incorporated into a DigitalRoute product, DigitalRoute will modify the CVSS score to better represent the vulnerability's effect on their product.
Reporting
DigitalRoute will report a vulnerability to its customers when actions are required to apply the remediation. Communication regarding vulnerabilities will be conducted through various methods such as security bulletins, release notes, knowledge base articles, or other suitable forms of notification.
For DigitalRoute to label a third-party vulnerability as "high profile," it must fulfil these conditions:
Exist in a a third-party software component bundled with DigitalRoute products.
Having a minimum CVSS environmental score of 7.0.