Security Bug Fix Policy
The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.
We determine the severity level of vulnerabilities based on Severity Levels for Security Issues.
Server / Datacenter products
Below applies if you're a customer and using Structure Server/DC, Structure.Gantt, Structure.Testy, or Structure.Pages applications.
- Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in the product within four weeks of being reported
- High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in the product within six of being reported
- Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) should be fixed in the product within 12 weeks of being reported
- Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) should be fixed in the product within 25 weeks of being reported
When a Critical security vulnerability is discovered by ALM Works, or reported by a user or third party, ALM Works will do all of the following:
- Issue a new, fixed release for the current version of the affected product as soon as possible.
- Issue a new maintenance release for any other affected version as follows:
BACK PORT POLICY
We issue new bug fix releases for any version of our products where the issue is confirmed.
If multiple versions of our product support the client's version of Jira, we issue an update for the most recent version of our product.
For example, if a critical security bug is found and confirmed in our Structure Server/DC product starting from version 3.5.2, we will issue patches to the following versions:
It is crucial to stay on the latest bug fix release for the version of the product you are using (this is best practice). Security bug fix releases typically include minimal changes (i.e. only the security fix), so the update is easier to apply.
When a security issue of a Medium or Low severity is discovered, we will include a fix in the next scheduled release. The fix will also be ported to other versions of our product (as per the table above), if applicable.
You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.