Numecent builds products that customers can trust in critical production operations, and as such, we recognize that our products must meet the highest standards for security. This article documents our process for evaluating and resolving possible vulnerabilities in our products and services so that our customers can have the assurance that corrected action will be taken in a timely fashion.TABLE OF CONTENTSPatch ManagementNew ReleasesPatch UpdatesClasses of VulnerabilitiesCritical vulnerabilitiesNon-critical vulnerabilitiesFix or Corrective ActionReporting Security VulnerabilitiesPatch ManagementNew releases are major versions containing features, change requests, and product bug fixes. Features are prioritized by Numecent's roadmap and customers can contribute to requests by visiting our forums at https://support.numecent.com/a/forums/. Patch updates are versions containing only bug fixes to address critical product defects, such as critical vulnerabilities. Customers and partners will be notified by email when a new release or patch update is available for download. Release notes will be supplied, which will highlight the changes in the new release or patch update.New ReleasesA new release can occur within 12 to 18 months (approximately) after the last new release. Each new release of a product (that includes open source third-party libraries or prerequisites) will include the latest patch update for a currently commercially available version of that library. For example, if the product requires Java 1.8 to function, then the latest patch update for Java 1.8 (such as 1.8.202) will be supported assuming that version 1.8 is still commercially available.Patch UpdatesA patch update can occur, if needed, within 1 to 2 months (approximately) after the last patch release. Each patch update will be certified to work with the latest prerequisites patch version. Classes of VulnerabilitiesNumecent classes vulnerabilities into one of two categories:Critical vulnerabilitiesVulnerabilities that can be exploited by an unauthenticated attacker over the network to compromise a system or user data, such as zero-day attacks. These vulnerabilities will have a CVSS rating of 7 or higher (https://www.cvedetails.com/).Non-critical vulnerabilitiesAll other issues that have a security impact.Fix or Corrective ActionNumecent supports the latest patch version for any prerequisites required by a supported product (e.g. version 1.0.x). We encourage all customers to maintain their environments with the latest operating systems patches and prerequisite patches. Support will post an announcement on the support portal and send an email to notify customers and partners about potential security issues with prerequisites.In the event of a critical vulnerability that affects a Numecent product, or an open source library used by a Numecent product, then a patch update will be expedited as an emergency hotfix. Our Support team will notify affected customers about vulnerabilities within 24 hours via email. In addition, an announcement will be posted on our Support portal.More detailed results of the assessment along with a severity level and a remediation plan will be identified within twenty (20) business days. The report will include the following details:Date and time of the security assessmentProduct name and versionSummaryFacts and documented evidenceActions takenAdditional steps to remedy the effectsExpected time frame for remediation measuresReporting Security VulnerabilitiesNumecent welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. Please open a support ticket if you believe there is a potential security vulnerability and we will treat it with the highest urgency.