The process of tackling vulnerabilities
High level, the phases of tackling a vulnerability found at the OutSystems Platform are represented as follows:
It consists of 2 phases, the embargo phase and public disclosure.
During this phase, and to protect our customers, no details about the vulnerability are disclosed. It’s important to note that the more details are divulged, the more probable it is that such information is used to exploit the vulnerability. Therefore, we allow our customers with reasonable time to protect their infrastructures before disclosing further details.
During the embargo phase the following steps occur:
Identification: The vulnerability is identified and communicated to OutSystems by either external parties or OutSystems teams.
Classification: The vulnerability is analyzed and a risk score and severity are assigned to it. This is done using the CVSS 3.0 framework CVSS Severity. This framework assigns a risk score to a vulnerability that is then translated into five possible severities that range from Info to Critical according to the risk score.
Risk Assessment: For all vulnerabilities, study the vulnerability and come up with a recommended mitigation strategy. The mitigation can range from shutting a service down to releasing a patch. OutSystems will proactively contact its customer base and patch PaaS infrastructures for vulnerabilities with a High or Critical severity.
Planning and Fix: A calendar and a deadline for the fix is defined. The fix and / or workaround for the vulnerability is prepared. The patching of PaaS infraestructures is scheduled.
Fix release: A fix is publicly released along with installation details. On-premise infrastructures can be patched at the customer’s discretion.
Customer communications: At the same time, the fix is released a communication is issued to all OutSystems customer base. It includes the fix instructions and workarounds (if applicable). For PaaS customers, a patch schedule may also be communicated for all affected environments. If the patch has no impact on normal operations and availability, it won’t require scheduling. A security bulletin is published at our vulnerabilities knowledge base. At this point, the bulletin does not disclose technical details about the vulnerability but a date for the public disclosure is defined.
Vulnerability details: Approximately 90 days after the fix release and the initial communications, OutSystems discloses further details about the vulnerability found. The security bulletin is updated with that information.
Communicating vulnerabilities to our customers
On step 6, OutSystems sends an email to all its customer base. The security bulletin is published and is included in the email communications. Upon public disclosure, only the security bulletin is updated and no emails are sent.
Who receives security vulnerability emails?
Customers can control who receives security notifications by filling in their security contact in their Account Settings area. Apart from the Security contact the notification will also be sent to the people below:
- Customer members (managed in the Account Settings area)
- Company Administrators
- Infrastructure Administrators
- Subscription contacts (managed in the Licensing Portal)
- Financial contact
- Technical contact