Security incident response
When a security issue is discovered, SkyVault will do the following:
- Send it directly to the subject matter expert and SkyVault Security Architect to evaluate the scope and severity of the issue
- Issue one or more versions where this is resolved as soon as possible
- Inform our customers and partners that this version is available
The version(s) where a particular security issue is resolved will depend on the severity of the issue, and may include:
- A Service Pack release for the last major version
- A Hot fix to the last major versions
- Hot fixes for older maintained versions
Severity Levels
SkyVault classifies security issues according to a severity level of High, Medium, Low.
Severity Level: High
A security issue is High if the vulnerability was discovered externally, is known about externally or is being actively exploited and one or more of the following is true:
- Customer data can be compromised
- The server running the application can be compromised
- A Denial of Service (DoS) can be caused, rendering the system unavailable .
If a security issue was found to be a High, but further details later become available that decrease the priority, it would be re-prioritized and customers notified appropriately. .
Severity Level: Medium
A security issue is Medium if either of the following are true:
- It would otherwise be High severity but it was discovered internally and/or is not believed to be known externally
- It is a less serious vulnerability such as a XSS or CSRF.
If a security issue was found to be Medium, but further details later became available that increase or decrease priority, it would be re-prioritized and customers notified appropriately .
Severity Level: Low
'Low' refers to trivial vulnerabilities which only pose a marginal or insignificant risk.
Fix Versions
The severity of the issue and the Product Support Status determines which versions will be fixed.
For support status of your version please refer to the SkyVault Product Support Status page.
For definitions and glossary please refer to the Product Support Lifecycle page.
Follows the fix version policy SkyVault Software will apply for security issues:
- High severity issues will be fixed in a hotfix for all versions of SkyVault in "Full Support" or "Limited Support" status.
- Medium severity issues will be fixed in a hotfix on the latest service pack branch for SkyVault versions in "Full Support" status and on request for the latest service pack branch for SkyVault versions in "Limited Support" status.
- Low severity issues will be fixed in the next service pack on each SkyVault version in "Full Support"
Release of Security Notifications
When a security issue in a SkyVault product is found and fixed, SkyVault notifies customers in a number of ways:
- For High severity issues, SkyVault releases the version containing the fix and then sends a security alert email to all customers and publishes a security alert on the SkyVault Support portal with details of the issue and of the fixed versions. Full details of the vulnerability and attack vector will be publicly released only after customers have been given time to install the fixed version.
- For Medium severity issues, SkyVault releases the version containing the fix and publishes a security alert on the SkyVault Support portal with details of the issue and of the fixed versions
- For Low severity issues, the fix is documented as part of the release notes for the service pack which includes the fix
Reporting a security issue to SkyVault
Please report all security issues by logging a support case via the Support Portal to ensure that the information does not enter the public domain prematurely.