Wiki source code of Security Patch Policy
Last modified by Scott Gagan on 2021/09/10 22:40
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | == Product Security Patch Policy == | ||
| 2 | |||
| 3 | iSymphony makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in iSymphony products. | ||
| 4 | |||
| 5 | === Scope === | ||
| 6 | |||
| 7 | This page describes when and how we release security patches and security upgrades for our products. It does not describe the whole of disclosure process that we follow. | ||
| 8 | |||
| 9 | === Critical vulnerabilities === | ||
| 10 | |||
| 11 | When a **Critical** security vulnerability is discovered by iSymphony or reported by a third party, iSymphony will do all of the following: | ||
| 12 | |||
| 13 | * Issue a new, fixed release for the current version of the affected product as soon as possible, usually in a few days. | ||
| 14 | |||
| 15 | You should upgrade your installation in order to fix the vulnerability. | ||
| 16 | |||
| 17 | === Non-critical vulnerabilities === | ||
| 18 | |||
| 19 | When a security issue of a **High, Medium or Low** severity is discovered, iSymphony will do all of the following: | ||
| 20 | |||
| 21 | * Include the fix into the next scheduled release, both for the current and previous maintenance versions. | ||
| 22 | * Where practical, provide new versions of plugins or other components of the product that can be upgraded independently. | ||
| 23 | |||
| 24 | You should upgrade your installation in order to fix the vulnerability. | ||
| 25 | |||
| 26 | === Other information === | ||
| 27 | |||
| 28 | Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues. | ||
| 29 | |||
| 30 | Visit our general [[doc:iSymphony Knowledge Base.iSymphony Support Offerings.Patch Policy.WebHome]] as well. | ||
| 31 | |||
| 32 | === Examples === | ||
| 33 | |||
| 34 | **Example 1:** A critical severity vulnerability is found in a (hypothetical current release) 3.3.2. In this case, a new bugfix release, 3.3.3, which is free from this vulnerability, will be created in a few days. | ||
| 35 | |||
| 36 | **Example 2:** A high or medium severity vulnerability is found in the same release as in the previous example. The fix will be included into the currently scheduled releases 3.3.3. Release schedule will not be brought forward and no patches will be issued. If the vulnerability is in a plugin module, then a plugin upgrade package may still be supplied. |