Vulnerability Management
Our proactive and comprehensive vulnerability management program includes continuously monitoring, identifying, communicating, and remediating vulnerabilities in our products, including vulnerabilities that originate in third-party components or open source components.
Each stage of our vulnerability management program is designed to foster a culture of security resilience. The following table provides a summary of the activities that comprise each stage.
| Stage | Description |
|---|---|
| Identification | Detecting vulnerabilities through regular 24/7 monitoring, external penetration testing, weekly and daily vulnerability scans, and our Bug Bounty Program. |
| Prioritization | We rely on NIST CVE severity as the most authoritative data for open source and third-party product vulnerabilities. Vulnerabilities found in our core products are prioritized based on criteria and our internal testing. |
| Assessment | We rely on NIST CVE severity where applicable. Where not applicable, we use a risk-based approach to assessing vulnerabilities and consider the exploitability, impact on business continuity, and/or how the software is sourced, built, packaged, and deployed. |
| Communication | Security advisories are published for all critical and high vulnerabilities after they are discovered, prioritized, and assessed. Refer to Security Bulletins for further information. |
| Remediation | Developed fixes are applied as soon as practical. Third-party component remediations may be delayed depending on the availability of upstream fixes. |
| Verification | Once the remediation has been completed, thorough testing is done to ensure the fixes are effective. Customers may need to upgrade their existing clusters to inherit vulnerability fixes. |
Like most other cloud native products, our products depend on many open source libraries and third-party components. Often there are external dependencies on open source communities and third-party vendors in addressing these vulnerabilities. Where applicable and appropriate, we will include workarounds in the security advisories.