Product Security Patch Policy

iSymphony makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in iSymphony products.

Scope

This page describes when and how we release security patches and security upgrades for our products. It does not describe the whole of disclosure process that we follow. 

Critical vulnerabilities

When a Critical security vulnerability is discovered by iSymphony or reported by a third party, iSymphony will do all of the following:

• Issue a new, fixed release for the current version of the affected product as soon as possible, usually in a few days.

You should upgrade your installation in order to fix the vulnerability.

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, iSymphony will do all of the following:

• Include the fix into the next scheduled release, both for the current and previous maintenance versions.
• Where practical, provide new versions of plugins or other components of the product that can be upgraded independently.

You should upgrade your installation in order to fix the vulnerability.

Other information

Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues.

Visit our general Patch Policy as well.

Examples

Example 1: A critical severity vulnerability is found in a (hypothetical current release) 3.3.2. In this case, a new bugfix release, 3.3.3, which is free from this vulnerability, will be created in a few days.

Example 2: A high or medium severity vulnerability is found in the same release as in the previous example. The fix will be included into the currently scheduled releases 3.3.3. Release schedule will not be brought forward and no patches will be issued. If the vulnerability is in a plugin module, then a plugin upgrade package may still be supplied.