The process of tackling vulnerabilities
OutSystems constantly monitors for vulnerabilities in the product and the generated code. Only vulnerabilities on the currently supported versions are analyzed and corrected.
High level, the phases of tackling a vulnerability found at OutSystems are as follows:
It consists of 2 phases, the embargo phase and public disclosure.
During this phase, and to protect customers, OutSystems doesn't disclose further details about the vulnerability. It’s important to note that the more details are divulged, the more probable it's that such information is used to exploit the vulnerability. Therefore, OutSystems allows reasonable time to protect your infrastructures before disclosing further.
During the embargo phase the following steps occur:
Identification: OutSystems learns about the vulnerability.
Classification: OutSystems analyses the vulnerability and attributes a risk score and severity. This is done using the CVSS 3.0 framework CVSS Severity. This framework assigns a risk score to a vulnerability that is then translated into five possible severities that range from Info to Critical according to the risk score.
Risk Assessment: For all vulnerabilities, study the vulnerability and come up with a recommended mitigation strategy. The mitigation can range from shutting a service down to releasing a patch. OutSystems proactively contacts its customer base and patch PaaS infrastructures for vulnerabilities with a High or Critical severity.
Planning and Fix: OutSystems defines a calendar and a deadline for the fix. The fix and / or workaround for the vulnerability is prepared and the patching of PaaS infrastructures is scheduled.
Fix release: A fix is publicly released along with installation details. On-premise infrastructures can be patched at the customer’s discretion.
Customer communications: At the same time, the fix is released a communication is issued to all OutSystems customer base. It includes the fix instructions and workarounds (if applicable). For PaaS customers, a patch schedule may also be communicated for all affected environments. If the patch has no impact on normal operations and availability, it won’t require scheduling. A security bulletin is published at the vulnerabilities knowledge base. At this point, the bulletin doesn´t disclose technical details about the vulnerability but a date for the public disclosure is defined.
Vulnerability details: Approximately 90 days after the fix release and the initial communications, OutSystems discloses further details about the vulnerability. The security bulletin is updated with that information.
Communicating vulnerabilities to our customers
OutSystems public notifications of vulnerabilities can be issued in the form of emails to infrastructure administrators, via support portal tickets, or by publishing a new article that's listed at the bottom of this page. Upon public disclosure, only the article is updated.
Who receives security vulnerability emails?
Customers can control who receives security notifications by filling in their security contact in their Account Settings area. Apart from the Security contact the notification are also sent to the people below:
- Customer members (managed in the Account Settings area)
- Company Administrators
- Infrastructure Administrators
- Subscription contacts (managed in the Licensing Portal)
- Financial contact
- Technical contact