Applicable for all SmartChecklist for Jira.Enterprise versions: Cloud, Server and Data Center
The Security Bug Fix Policy (“Policy”) is intended to communicate to all Railsware Products, Inc. (“Railsware”) free evaluation users (“Users”) and paid customers (“Customers”) the process that we follow when resolving security bugs in our products. This Policy does not provide details about the complete disclosure and advisory process that we follow. One may refer to the Security Breach Policy to find out further details.
Categories of Vulnerability Issues
At our company, we split all vulnerability issues into several categories:
Critical severity issues allow an attacker to:
Compromise servers or infrastructure devices
Exploit straightforward without any special authentication credentials or knowledge about individual victims
These issues are marked as Priority-0 and assigned to be fixed within 4 weeks of being reported.
High severity vulnerabilities are difficult to exploit and they allow an attacker to gain elevated privileges, as well as result in a significant data loss or downtime.
These issues are marked as Priority-1 and assigned to be fixed within 6 weeks of being reported.
High severity vulnerabilities allow an attacker to:
Exploit while residing on the same local network as the victim
Manipulate individual victims via social engineering tactics
Gain a very limited access to data and resources
Exploit only if he/she has user privileges
These issues are marked as Priority-2 and assigned to be fixed within 8 weeks of being reported.
Low severity vulnerabilities are usually bugs that would normally be a higher severity, but which have extreme mitigating factors or highly limited scope.
These issues are marked as Priority-3 and assigned to be fixed within 10 weeks of being reported.
The best practice for the Railsware Users and Customers is to stay on the latest bug fix release for the version of the Smart Checklist for Jira Enterprise you are using. For example, if you are using Smart Checklist for Jira.Enterprise 4.7.0, you should upgrade to the latest version of the product proactively.
When a security issue of a High, Medium or Low severity is discovered, Railsware will include a fix in the next scheduled release.
The Railsware Users and Customers should upgrade their installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.
We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.