Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 7

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Resources

Vulnerability Management Process

...

  • Reports about vulnerabilities are are 
    • automatically detected by SOS monitoring tools based on a Software Bill of Materials (SBOM),
    • forwarded to SOS
    • by automated vulnerability detection provided from the the GitHub Source Code Repositories,
    • forwarded to SOS by users via private e-mail,
    • forwarded to SOS by customers via the the SOS Ticket System.
  • Detection of vulnerabilities includes both the SOS software product and any 3rd party libraries components included with the software product.
    • Sources of vulnerability detection in source code of SOS software products include
      • automated scans performed by source code repositories,
      • security audits performed by users and customers for example for pen-testing,
      • security breaches reported by users and customers.
    • SOS tracks vulnerabilities in 3rd party open source libraries by automated scans provided by source code repositories,
  • Users are advised to use private e-mail to report vulnerabilities to support@sos-berlin.com 

Vulnerability Verification

  • After receipt of a vulnerability report SOS sets up a task force to reproduce and to identify a reported vulnerability.
    • This includes to identify affected releases of the software product.
    • This includes to evaluate risks for a given vulnerability.
    • This step typically is completed within 24 hours after receipt of a respective report.
  • If a vulnerability is confirmed then the task force will
    • request a CVE ID from https://www.mitrecve.org/ and will provide the respective CVE report that is not publicly available,
    • add a private Change Request to the Change Management System,
    • report back to the vulnerability reporter about the assigned CVE ID. This step is completed immediately after receipt of a CVE ID and depends on mitrecve.org response times.

Vulnerability Risk Mitigation

...

  • With fixes being available the following applies:
    •  Downloads
      • Maintenance releases are published for download with the SOS web site and with SourceForge. 
      • Users should be aware that 3rd party web sites that mirror downloads of SOS software products might or might not indicate availability of maintenance releases. SOS denies any liability for accurate and timely downloads of maintenance releases available from 3rd party web sites.
    • CVE Reports
      • With downloads being available SOS asks mitre.org to make the CVE report publicly available.
    •  Notification
      • Notifications are made available with the "News" section of the SOS web site.
      • Notifications are provided by RSS Feeds.Notifications are provided via Twitter News
      • Customers who subscribe to notifications within their support option receive a notification by e-mail.
      • The Product Knowledge Base is added the information with the list of Vulnerabilities.
  • Fixes provided for any branches under maintenance are communicated at the same point in time.

...