Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 9

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Depending on the security risks identified with the previous step for verification of a vulnerability the following applies:
    • for high-risk and for medium-risk vulnerabilities an alert is provided to customers who subscribe to this type of notification with their product support option.
    • for low-risk vulnerabilities no information is provided to customers.
  • Based on the criticality a release date is determined:
    • For high-risk and for medium-risk vulnerabilities an immediate maintenance release date is planned for branches of the software product that are under maintenance.
    • For low-risk vulnerabilities the typical release cycle of approx. 3 months or earlier is applied.
  • Users have a choice to remove vulnerable 3rd-party components from the installation of a JS7 product:
    • The JS7 - Package Management offers to disable/enable software packages.
    • This approach is applicable if minor features of JS7 are affected and if users are willing not to use such features.

Vulnerability Fixes

  • Fixes are implemented within the scope of the Release Policy - Change Management.
  • Fixes are provided for any branches of the software product that are under maintenance.Fixes are not made publicly available with the GitHub Source Code Repositories before communication.
  • Fixes include the procedure to approve that an exploit of the vulnerability is no longer applicable.
  • For high-risk and for medium-risk vulnerabilities this steps typically is completed within five business days.

...

  • With fixes being available the following applies:
    •  Downloads
      • Maintenance releases are published for download with the SOS web site and with SourceForge. 
      • Users should be aware that 3that 3rd-party web  web sites that mirror downloads of SOS software products might or might not indicate availability of maintenance releases. SOS denies any liability for accurate and timely downloads of maintenance releases available from 3rd-party web sites.
    • CVE Reports
      • With downloads being available SOS asks cve.org to make the CVE report publicly available.
    •  Notification
      • Notifications are made available with the News section of the SOS web site.
      • Notifications are provided by RSS Feeds.
      • Customers who subscribe to notifications within their support option receive a notification by e-mail.
      • The Product Knowledge Base is added the information with the list of VulnerabilitiesVulnerability Remediation Releases.
  • Fixes provided for any branches under maintenance are communicated at the same point in time.

...