Updated Vulnerability Handling Policy
At InterSystems, we believe in the responsible disclosure of recently discovered security vulnerabilities. We provide timely information to our customers, while keeping it out of the hands of people that may misuse it. We also understand each customer has different requirements related to the resolution of security issues.
As we start 2023, we have made two significant changes to our approach to security vulnerability corrections that I’d like to highlight:
- Security vulnerability patches will be included in every release
- Improved customer notification
Security vulnerability patches in every release
Instead of waiting to deliver patches in a security release, every release may now include patches for security vulnerabilities. Our improved release cadence will deliver patches to the field in a timely manner.
Improved customer notification
Low and medium impact items, which often include vulnerabilities such as reconnaissance attacks or cross-site scripting attack, will be included in each release, and described in the product release notes.
Fixes for higher severity items will also be included in each release as they are ready, but the information regarding the fix will be embargoed until the patches are in all supported releases.
A Security Alert will be published for high and critical severity issues when they have been fixed in all supported releases.
Why has InterSystems made these changes?
We believe these improvements will:
- Get security patches to our customers faster
- Help focus on the highest severity fixes
- Make it possible, in some cases, to provide security fixes as patches instead of full kits
- Provide more transparency on how security vulnerabilities are managed by grouping vulnerabilities by their security impact
- Allow system administrators to apply more fixes based on their needs and requirements
Of course, the process becomes much more complicated with the notion of Maintenance Releases and Continuous Delivery releases. In order to help customers understand when and how they can get security fixes, we have published our Vulnerability Handling Policy with more detailed information.
I look forward to 2023 where we can continue to improving on your experience related to our security and vulnerability management program.