From 05691e19e468378ef498078c4a37d66b12ed211c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9Cvveesseelliinnaa=E2=80=9D?= Date: Thu, 28 Nov 2024 14:50:34 +0200 Subject: [PATCH] docs(security): add vulnerability remediation guidelines --- docs/security/overview.md | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/docs/security/overview.md b/docs/security/overview.md index a3920b2..fef2b85 100644 --- a/docs/security/overview.md +++ b/docs/security/overview.md @@ -29,17 +29,27 @@ At Progress, we work diligently to identify and fix security vulnerabilities in We value the contributions of security researchers and ethical hackers. If a researcher identifies a potential vulnerability, they can submit it via our [Bugcrowd](https://bugcrowd.com/engagements/devtools-vdp) platform. We aim to meet the following response times: -| Type of Response | SLO (in business days) | -|------------------|------------------------| -| First Response | 7 days | -| Time to Triage | 10 days | -| Time to Resolution| Depends on severity | +| Type of Response | SLO (in business days) | +| ------------------ | ------------------------------------------------------------ | +| First Response | 7 days | +| Time to Triage | 10 days | +| Time to Resolution | [Depends on severity](#vulnerability-remediation-guidelines) | For more information, visit: - [Bugcrowd Vulnerability Disclosure Program](https://bugcrowd.com/engagements/devtools-vdp) - [Progress Trust Center](https://www.progress.com/trust-center) - [Vulnerability Reporting Policy](https://www.progress.com/trust-center/vulnerability-reporting-policy) +## Vulnerability Remediation Guidelines + +Progress follows defined timelines for remediating vulnerabilities based on their severity levels, ensuring a structured and efficient approach to maintaining security across all products. These guidelines are aligned with CVSS (Common Vulnerability Scoring System) scoring: + +- **Critical scored issues (CVSS 9.0+):** Resolved within **30 days**. +- **High scored issues (CVSS 7.0–8.9):** Resolved within **60 days**. +- **Medium or lower scored issues (CVSS < 7):** Resolved within **90–120 days**, depending on the score. + +While these are not strict SLA (Service Level Agreement), they serve as a commitment to providing timely resolutions for identified vulnerabilities. + ## What We Do to Mitigate Risk Our dedicated security team, comprised of experienced developers and security experts—our "Security Champions"—reviews all web, desktop, and mobile products technologies for potential vulnerabilities. These vulnerabilities may be internally identified, reported by third-party tools, or flagged externally.