SECURITY VULNERABILITY PROCESS
The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.
Security bug fix Service Level Agreement (SLA)
We have defined the following timeframes for fixing security issues in our products:
Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 4 weeks of being reported
High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 6 weeks of being reported
Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 8 weeks of being reported
The following critical vulnerabilities resolution policy applies to Neelix Delivery Manager for Jira as offered via Attlassian Jira Marketplace.
When a Critical security vulnerability is discovered by us or reported by a third party, following will be untertaken:
Issue a new, fixed release for the cloud deployment; All clients be protected provided users reload their web browser.
When a security issue of a High, Medium or Low severity is discovered, we will include a fix in the next scheduled release.
The only requirement is for users to refresh web browser session when the fix is advertised.
What is the deployment solution for Neelix Task Manager?
Neelix backend processes operate in GCP and client is served from the AppEngine.
What is a ‘release’?
A release is a version (for example 2.2.3) which contains new features or changes to existing features.