Numecent builds products that customers can trust in critical production operations, and as such, we recognize that our products must meet the highest standards for security. This article documents our process for evaluating and resolving possible vulnerabilities in our products and services so that our customers can have the assurance that corrected action will be taken in a timely fashion.
New releases are major versions containing features, change requests, and product bug fixes. Features are prioritized by Numecent's roadmap and customers can contribute to requests by visiting our forums at https://support.numecent.com/a/forums/. Patch updates are versions containing only bug fixes to address critical product defects, such as critical vulnerabilities. Customers and partners will be notified by email when a new release or patch update is available for download. Release notes will be supplied, which will highlight the changes in the new release or patch update.
New Releases – New release can occur within 12 to 18 months (approximately) after the last new release.
Patch Updates – Patch updates can occur, if needed, within 1 to 2 months (approximately) after the last patch release.
Each "new release" of a product, that include open source third-party libraries or prerequisites, will include the latest patch update for a currently commercially available version of that library. For example, if the product requires Java 1.8 to function, then the latest patch update for Java 1.8, such as 1.8.202, will be supported assuming that version 1.8 is still commercially available. Each "patch update" will be certified to work with the latest prerequisites patch version.
Classes of Vulnerabilities
Numecent classes vulnerabilities into one of two categories:
Critical vulnerabilities - Vulnerabilities that can be exploited by an unauthenticated attacker over the network to compromise a system or user data, such as zero-day attacks. These vulnerabilities will have a CVSS rating of 7 or higher (https://www.cvedetails.com/).
Non-critical vulnerabilities - All other issues that have a security impact.
Fix or Corrective Action
Numecent support the latest patch version for any prerequisites required by a supported product, such as Tomcat 8.5.x. We encourage all customers to maintain their environments with the latest operating systems patches and prerequisite patches. Support will post an announcement on the support portal and send an email to notify customers and partners about potential security issues with prerequisites.
In the event of a critical vulnerability that affects an open source library used by a Numecent product, then a patch update will be expedited as an emergency hotfix. Customers will be notified to update.
Reporting Security Vulnerabilities
Numecent welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. Please open a support ticket if you believe there is a potential security vulnerability and we will treat it with the highest urgency.