Product Security Vulnerability Response Policy

(Updated October 16, 2019)

Introduction

At Syncro Soft, we consider the security of our systems and products a top priority. We recognize that unless our products meet the highest standards for security, customers will not be able to deploy them with confidence. This Vulnerability Response Policy documents our commitments for resolving possible vulnerabilities in our products so that our customers can be assured that any such issues will be corrected in a timely fashion.

This Policy describes how to report potential security vulnerabilities affecting the Syncro Soft software products and how customers are informed by Syncro Soft about verified vulnerabilities, resolutions and mitigations.

Reporting a New Vulnerability

Syncro Soft encourages users who become aware of a security vulnerability in Syncro Soft products to contact Syncro Soft with details of the vulnerability. Syncro Soft hopes that users encountering a new vulnerability will contact us privately as it is in the best interests of our customers that Syncro Soft has an opportunity to investigate and confirm a suspected vulnerability before it becomes public knowledge.

Syncro Soft has established an email address that should be used for reporting a vulnerability. Please send descriptions of any vulnerabilities found to .

Note:

We encourage use of encrypted email. Please use our PGP key when sending any vulnerability details. It can be obtained from a public key server such as pgp.mit.edu, or you can request it through the same e-mail.

We recommend that the following details of the vulnerability to be included in your report:

  • A detailed description of the steps required to reproduce the vulnerability. Screenshots are helpful.
  • Description of the potential impact of the vulnerability.
  • Any technical information and related materials we would need to reproduce the issue.

Please keep your vulnerability reports current by sending us any new information as it becomes available.

If issues reported to our program affect a third-party library, an external project, or another vendor, we reserve the right to forward details of the issue to that party without further discussion with you. We will do our best to coordinate and communicate with you through this process, and we will not share your name with third parties without your approval.

Important:

Check your findings against the following available resources to see if the vulnerability has already been identified and addressed:

Assessment

All security vulnerabilities reported to Syncro Soft are thoroughly investigated, assessed and prioritized. Syncro Soft uses the Common Vulnerability Scoring System version 3 (“CVSSv3”) as a part of our process for evaluating potential vulnerabilities in Syncro Soft products.

Where such a CVSSv3 base score is not available from NIST or a vendor (as in case of a third-party component), Syncro Soft will calculate the CVSSv3 base score. The overall severity of that security notification will be determined by the highest CVSSv3 base score calculated for any single vulnerability in the security notification and assigned one of five severity classifications:

Severity classifications
CVSSv3 Base ScoreSeverity Classification
9.0 – 10.0Critical
7.0 – 8.9High
4.0 – 6.9Medium
0.1 – 3.9Low
0.0None

More information on CVSS and how the score is calculated can be obtained from https://www.first.org/cvss/. (including examples: https://www.first.org/cvss/examples)

Vulnerability Notifications

Syncro Soft will use reasonable efforts to make an initial assessment within these targets after notification.

Time targets
Severity Classification of VulnerabilityTarget Intervals for Assessment and Notification from Syncro Soft
CriticalWithin 1 business day
HighWithin 3 business days
MediumWithin 1 week
LowWithin 2 weeks
NoneAt Syncro Soft’s discretion

When a fix or corrective action for a vulnerability becomes available, Syncro Soft will notify its customers by the means of Security Advisory which details the security vulnerability and provides a reference to the release notes which details the fix or corrective action. Based on the nature of the vulnerability and its classification, the Advisory may include a recommended mitigation action, a recommendation regarding the use of a 3rd party provided patch, a planned Syncro Soft software fix or update, and/or additional guidance regarding the vulnerability.

As each security vulnerability case is different, Syncro Soft may take alternative actions to notify customers or a limited/specific group of customers, if necessary. As such, a security notification may also be transmitted through the "Check for updates" functionality available in desktop products like Editor, Developer, Author, and/or in the release notes.

Note:

Syncro Soft Security Advisories are posted at www.oxygenxml.com/security/advisories and are sent to subscribers of the Syncro Soft Security Announce mailing list. One can subscribe to this list by entering their email address in the “Sign-up for Security Notifications”

Remediation

Syncro Soft is committed to patching vulnerabilities within 90 days or less, and disclosing the details of those vulnerabilities when fixes are published. The fix may take one or more of these forms:

  • A new major or minor release of the affected Syncro Soft product
  • A new maintenance or update release of the affected Syncro Soft product
  • A patch that can be installed on top of the affected Syncro Soft product
  • Instructions to download and install an update or patch for a third-party software component that is part of the Syncro Soft product installation
  • A corrective procedure or workaround that instructs users in adjusting the Syncro Soft product configuration to mitigate the vulnerability.
Time frames
Severity Classification of VulnerabilityTarget Intervals for Remediation Action
Critical

If a software fix needs to be developed by Syncro Soft it will be released as a patch or update as soon as reasonably possible.

High

If a software fix needs to be developed by Syncro Soft, it will be included in the next update where the patch can be reasonably incorporated.

Medium

If a software fix needs to be developed by Syncro Soft, it will be included in the next minor release where the fix can reasonably be incorporated. If no new minor releases are scheduled for a product, and Syncro Soft is providing maintenance support, Syncro Soft will incorporate the fix into an update.

Low

If a software fix needs to be developed by Syncro Soft, it will be included in the next major or minor release where the fix can reasonably be incorporated. If no new major or minor releases are scheduled for a product, and Syncro Soft is providing maintenance support, Syncro Soft will make reasonable efforts to incorporate the fix into an update.

NoneNo remediation actions will be required.

Note:

Syncro Soft is dependent on many factors to meet the target remediation action intervals (defined in the previous table), including third-party vendors providing updated components in a timely manner. These time frames are targets and not guarantees. Whenever possible, the Advisory will include steps users can take to protect their system from exploitation of the vulnerability.

Syncro Soft will apply fixes for product security vulnerabilities to all software releases which have not exceeded the End of Life (EOL) milestone. For more information applicable software release and milestones, please refer to the EOL policy page.