Security Bug Fix Policy

Applicable for all Smart Checklist for Jira.Enterprise versions: Cloud, Server and Data Center

Last updated:  

Introduction

The Security Bug Fix Policy (“Policy”) is intended to communicate to all Railsware Products, Inc. (“Railsware”) free evaluation users (“Users”) and paid customers (“Customers”) the process that we follow when resolving security bugs in our products. This Policy does not provide details about the complete disclosure and advisory process that we follow. One may refer to the Security Breach Policy to find out further details.

Categories of Vulnerability Issues

At our company, we split all vulnerability issues into several categories:


Critical severity



Critical severity issues allow an attacker to:

  • Compromise servers or infrastructure devices
  • Exploit straightforward without any special authentication credentials or knowledge about individual victims

These issues are marked as Priority-0 and assigned to be fixed within 4 weeks of being reported.

High severity



High severity vulnerabilities are difficult to exploit and they allow an attacker to gain elevated privileges, as well as result in a significant data loss or downtime.


These issues are marked as Priority-1 and assigned to be fixed within 6 weeks of being reported.

Medium severity



High severity vulnerabilities allow an attacker to:

  • Exploit while residing on the same local network as the victim
  • Manipulate individual victims via social engineering tactics
  • Gain a very limited access to data and resources
  • Exploit only if he/she has user privileges

These issues are marked as Priority-2 and assigned to be fixed within 8 weeks of being reported.

Low severity

Low severity vulnerabilities are usually bugs that would normally be a higher severity, but which have extreme mitigating factors or highly limited scope.


These issues are marked as Priority-3 and assigned to be fixed within 10 weeks of being reported.

The best practice for the Railsware Users and Customers is to stay on the latest bug fix release for the version of the Smart Checklist for Jira Enterprise you are using. For example, if you are using Smart Checklist for Jira.Enterprise 4.7.0, you should upgrade to the latest version of the product proactively.

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, Railsware will include a fix in the next scheduled release.

The Railsware Users and Customers should upgrade their installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.

Other information

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.




For any questions or feature requests contact us: smartchecklist@railsware.com