Security bug fix policy
DynamicWeb makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in DynamicWeb products.
The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.
Security bug fix Service Level Objectives (SLO)
DynamicWeb sets service level objectives for fixing security vulnerabilities based on the security severity level and the affected product.
Resolution timeframes
These timeframes apply to all cloud based DynamicWeb products, and any other software or system that is managed by DynamicWeb or running on DynamicWeb infrastructure.
- Critical severity bugs to be fixed in product within 2 days of being verified
- High severity bugs to be fixed in product within 5 days of being verified
- Medium severity bugs to be fixed in product within 20 business days of being verified
- Low severity bugs to be fixed in product within 20 business days of being verified
Releases of security bug fixes low-high follows the regular release versions as for other bugs.
Critical vulnerabilities
When a Critical security vulnerability is discovered by DynamicWeb or reported by a third party, Dynamicweb will do all the following:
- Issue a new, fixed release for the current active and supported versions of the affected product as soon as possible
- Issue a new patch release for a previous version as follows
Issue new bug fix releases for:
- Any versions designated as ‘supported’ and have not reached end of life
- All minor versions released within 12 months of the date the fix is released
Classification of security issues
Dynamicweb uses Common Vulnerability Scoring System (CVSS) as a method of assessing security risk and prioritization for each discovered vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at FIRST.org.
DynamicWeb will issue a security advisory report and include a severity level. It is based on our self-calculated CVSS score for each specific vulnerability.
DynamicWeb will issue a security advisory report and include a severity level. It is based on our self-calculated CVSS score for each specific vulnerability.
- Critical
- High
- Medium
- Low
DynamicWeb uses the following severity rating system:
| CVSS Score Range | Severity in Advisory |
|---|---|
| 9.0 - 10.0 | Critical |
| 7.0 - 8.9 | High |
| 4.0 - 6.9 | Medium |
| 0.1 - 3.9 | Low |
In some cases, DynamicWeb may use additional factors unrelated to CVSS score to determine the severity level of a vulnerability.
Below are a few examples of vulnerabilities which may result in each severity level. Please keep in mind that this rating does not consider details of your installation and is used for reference and guiding, not as a hard rule.
Severity Level: Critical
Vulnerabilities that score in the critical range usually have most of the following characteristics:
- Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
- Exploitation of the vulnerability will give full administrative access to Dynamicweb.
- Exploitation is straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
For critical vulnerabilities it is recommended that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, prohibiting access to your installation from the Internet can serve as a mitigating factor.
Severity Level: High
Vulnerabilities that score in the high range usually have some of the following characteristics:
- The vulnerability is difficult to exploit
- Exploitation could result in elevated privileges
- Exploitation could result in significant data loss or downtime
Severity Level: Medium
Vulnerabilities that score in the medium range usually have some of the following characteristics:
- Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics
- Denial of service vulnerabilities that are difficult to set up
- Exploits that require an attacker to reside on the same local network as the victim
- Vulnerabilities where exploitation provides only very limited access
- Vulnerabilities that require user privileges for successful exploitation
Severity Level: Low
Vulnerabilities in the low range typically have very little impact on an organization’s business. Exploitation of such vulnerabilities usually requires local or physical system access.
Submission process
Bug reports for our software should be submitted through our Partner Support using the process for submitting bugs.