Introduction

• Vulnerability Management is the process to handle security incidents.
• x

Resources

• Vulnerability Reports
  • Public Ticket System for users of the Open Source License
    • SourceForge JobScheduler Ticket System
    • SourceForge YADE Ticket System
  • Private Ticket System for customers of the Commercial License
    • SOS Ticket System
• Vulnerability Verification
  • CVE ID: https://www.mitre.org/
• Change Proposals
  • Public JIRA Change Management System
• Changes
  • Public GitHub Source Code Repositories

Vulnerability Management Process

Vulnerability Reporting

• Reports about vulnerabilities are forwarded to SOS
  • by automated vulnerability detection provided from the GitHub Source Code Repositories
  • by users via private e-mail
  • by customers via the SOS Ticket System
• Detection of vulnerabilities includes both the SOS software product and any 3rd party libraries included with the software product.
  • Sources of vulnerability detection in source code of SOS software products include
    • automated scans performed by source code repositories,
    • security audits performed by users and customers for example for pen-testing,
    • security breaches reported by users and customers.
  • SOS tracks vulnerabilities in 3rd party open source libraries by automated scans provided by source code repositories,
• Users are advised to use private e-mail to report vulnerabilities.

Vulnerability Verification

• After receipt of a vulnerability report SOS sets up a Vulnerability Task Force to reproduce and to identify a reported vulnerability.
  • This includes to identify affected releases of the software product.
  • This includes to evaluate risks for a given vulnerability.
  • This step typically is completed within 24 hours after receipt of a respective report.
• If a vulnerability is confirmed then the task force will
  • request a CVE ID from https://www.mitre.org/ and provide the respective CVE report.
  • add a private Change Request to the Change Management System
  • report back to the vulnerability reporter about the assigned CVE ID. This step is completed immediately after receipt of a CVE ID and depends on mitre.org response times.

Vulnerability Risk Mitigation

• Depending on the security risks identified with the previous step for verification of a vulnerability the following applies:
  • for high-risk and for medium-risk vulnerabilities an alert is provided to customers who subscribe to this type of notification with their product support option.
  • for low-risk vulnerabilities no information is provided to customers.
• Based on the criticality a release date is determined:
  • For high-risk and for medium-risk vulnerabilities an immediate maintenance release date is planned for branches of the software product that are under maintenance.
  • For low-risk vulnerabilities the typical release cycle of approx. 3 months or earlier is applied.

Vulnerability Fixes

• Fixes are provided for any branches of the software product that are under maintenance.
• Fixes are not made publicly available with the GitHub Source Code Repositories.
• Fixes include the procedure to approve that an exploit of the vulnerability is no longer applicable.
• For high-risk and for medium-risk vulnerabilities this steps typically is completed within five business days.

Vulnerability Communication

• With fixes being available the following applies:
  • In addition 
• Fixes provided for any branches under maintenance are communicated at the same point in time.