CloverDX® Software Security Policy
Last update 12 Apr 2021
Commitment to product security
Security of our products is one of our most important priorities. Our developers receive security training and review the code during the development process. We use agile methodologies that help us continually improve our products.
We use automated tests to verify the functionality of our products as well as check against known vulnerabilities.
We work hard to find and mitigate security vulnerabilities in our products. However, due to complexity and usage of our products, it is not always possible for us to know how they will be used, how our products are deployed and protected or how skilled are the attackers that seek to undermine security of those deployments.
How to report vulnerability in one of CloverDX products
If you become aware of any security vulnerability in any of CloverDX products, please contact security@cloverdx.com. We follow set of industry practices called Coordinated Vulnerability Disclosure (CVD). Under this process, researchers report the issues directly to us without publicly disclosing the issues and we work together to validate the issue and provide a fix. Afterwards the vulnerability can be disclosed to public.
We encourage responsible disclosure of any security vulnerabilities. We will not take legal action if you:
- Provide use with information needed to reproduce and validate the vulnerability.
- Avoid violating privacy of data belonging to our customers, our staff and users.
- Avoid destruction of any data belonging to our customers or users.
- Don’t destroy any data or degrade customer services relying on CloverDX products.
- Give us reasonable amount of time to address the vulnerability before you publicly disclose your research.
How we prioritize vulnerability fixes
We use CVSS v3.1 score to determine severity of each vulnerability and to prioritize our work:
- We aim to fix critical severity vulnerabilities (CVSS score >= 9) within 30 days of becoming aware of the issue.
- We aim to fix high severity vulnerabilities (CVSS score >= 7) within 60 days of becoming aware of the issue.
- We aim to fix medium severity vulnerabilities (CVSS score >= 4) within 90 days of becoming aware of the issue.
- We will review and prioritize vulnerabilities with low severity (CVSS score <4) together with other development work.
We release security fixes for supported versions of our products (retired products do not receive security fixes). See our and Downloads section in Customer Portal for more details about supported product versions.
We recommend that you keep updating your products to stay as close to the most recent version as possible.
How we communicate about security vulnerabilities
We provide security advisories for critical and high severity issues at the same time as publishing a fix for them. A list of previously announced security vulnerabilities and their security advisories are available here.