ALM Works makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in our products.

Scope 

The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.

We determine the severity level of vulnerabilities based on Severity Levels for Security Issues.

Cloud-based products

Below applies if you're a customer and using Structure Cloud or Structure.Gantt Cloud.

Resolution timeframes

These timeframes apply to all cloud-based ALM Works products.

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in the product within four weeks of being reported
  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in the product within six weeks of being reported
  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in the product within eight weeks of being reported
  • Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) may be fixed in the product within 25 weeks of being reported


Server / Datacenter products

Below applies if you're a customer and using Structure Server/DC, Structure.Gantt, Structure.Testy, or Structure.Pages applications.

Resolution timeframes

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in the product within four weeks of being reported
  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in the product within six of being reported
  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) should be fixed in the product within 12 weeks of being reported
  • Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) should be fixed in the product within 25 weeks of being reported

Critical Vulnerabilities

When a Critical security vulnerability is discovered by ALM Works, or reported by a user or third party, ALM Works will do all of the following:

  • Issue a new, fixed release for the current version of the affected product as soon as possible.
  • Issue a new maintenance release for any other affected version as follows: 



PRODUCT



BACK PORT POLICY



EXAMPLE


Structure Server/DC

Structure.Gantt

Structure.Testy

Structure.Pages

We issue new bug fix releases for any version of our products where the issue is confirmed.

If multiple versions of our product support the client's version of Jira, we issue an update for the most recent version of our product.

For example, if a critical security bug is found and confirmed in our Structure Server/DC product starting from version 3.5.2, we will issue patches to the following versions:

  • Structure 3.5.2 supporting Jira Server/DC 7.0.x
  • Structure 4.1.2 supporting Jira Server/DC 7.1.x
  • Structure 5.1.1 supporting Jira Server/DC 7.2.x
  • Structure 5.6.4 supporting Jira Server/DC 7.6.x
  • Structure 6.2.0 supporting Jira Server/DC 7.13 and above

It is crucial to stay on the latest bug fix release for the version of the product you are using (this is best practice). Security bug fix releases typically include minimal changes (i.e. only the security fix), so the update is easier to apply. 

The critical vulnerabilities resolution process does not apply to our Cloud products, as these services are always fixed by ALM Works without any additional action from customers.

Non-critical vulnerabilities 

When a security issue of a Medium or Low severity is discovered, we will include a fix in the next scheduled release. The fix will also be ported to other versions of our product (as per the table above), if applicable. 

You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.