Security Bug Fix Policy
Vulnerability Policy
This is our policy on vulnerabilities discovered in our apps:
Based on the severity level, we will treat the vulnerability as described below. We might add additional measures to best serve your needs, such as informing customers or evaluators if necessary.
Every vulnerability will be rated according to CVSS v3 and the following table:
| CVSS V3 SCORE RANGE | SEVERITY |
|---|---|
| 0.1 – 3.9 | Low |
| 4.0 – 6.9 | Medium |
| 7.0 – 8.9 | High |
| 9.0 – 10.0 | Critical |
Critical Severity Level
Critical severity vulnerabilities will be fixed within 4 weeks of coming to our knowledge and will be released as a bug fix release as soon as possible.
We will send a Security Advisory email to all known customers and evaluators.
High Severity Level
High severity vulnerabilities will be fixed within 6 weeks of coming to our knowledge and will be included in the next scheduled bug fix release.
Medium Severity Level
Medium severity vulnerabilities will be fixed within 8 weeks of coming to our knowledge and will be included in the next scheduled bug fix release.