Scope

The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.

Security bug fix Service Level Agreement (SLA)

We have defined the following timeframes for fixing security issues in our products:

• Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 4 weeks of being reported

• High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 6 weeks of being reported

• Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 8 weeks of being reported

Critical Vulnerabilities

When a Critical security vulnerability is discovered by STAGIL or reported by a third party, STAGIL will Issue a new, fixed release for the current version of the affected product as soon as possible.

It is important to stay on the latest release of the product you are using (this is best practice).

STAGIL Cloud products are always fixed by STAGIL without any additional action from customers.

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, STAGIL will include a fix in the next scheduled release. 

You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.

Severity Levels

STAGIL security advisories include a severity level. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at FIRST.org.

• Critical

• High

• Medium

• Low

For CVSS v3 STAGIL uses the following severity rating system:

Below are a few examples of vulnerabilities which may result in a given severity level. Please keep in mind that this rating does not take into account details of your installation and are to be used as a guide only.

Severity Level: Critical

Vulnerabilities that score in the critical range usually have most of the following characteristics:

• Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.

• Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.

For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, a mitigating factor could be if your installation is not accessible from the Internet.

Severity Level: High

Vulnerabilities that score in the high range usually have some of the following characteristics:

• The vulnerability is difficult to exploit.

• Exploitation could result in elevated privileges.

• Exploitation could result in a significant data loss or downtime.

Severity Level: Medium

Vulnerabilities that score in the medium range usually have some of the following characteristics:

• Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.

• Denial of service vulnerabilities that are difficult to set up.

• Exploits that require an attacker to reside on the same local network as the victim.

• Vulnerabilities where exploitation provides only very limited access.

• Vulnerabilities that require user privileges for successful exploitation. 

Severity Level: Low

Vulnerabilities in the low range typically have very little impact on an organization's business. Exploitation of such vulnerabilities usually requires local or physical system access.

Other information

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.