Vulnerability reporting policy
How we prevent vulnerabilities
Ogma is scanned continuously for vulnerabilities both in our code and in third-party dependencies using static code analysis tools and dependency scanning tools.
How we handle new vulnerabilities
When a security vulnerability is discovered in Ogma:
- We launch an internal task-force to evaluate the impact of the vulnerability and define its severity (see Severity levels).
- If the severity level of the vulnerability is high or critical, we publish a vulnerability report in our online vulnerability list. The report that we publish is updated continuously. It contains assessment, workaround and mitigation instructions.
- For critical severity: a report is published within 2 working days
- For high severity: a report is published within 10 working days
- If the severity is critical, we notify all potentially impacted customers by e-mail as soon as the report is published.
- We publish a software patch. Customers are notified by e-mail as soon as the patch is available.
Our vulnerability reports include a severity level. This severity level is based on our self-calculated CVSS score (Common Vulnerability Scoring System) for each specific vulnerability. CVSS is an industry standard vulnerability metric (learn more about CVSS).
For CVSS v3, we use the following severity rating system:
|CVSS v3 score range
|Report severity level
|0.1 - 3.9
|4.0 - 6.9
|7.0 - 8.9
|9.0 - 10.0
Below are a few examples of vulnerabilities which may result in a given severity level. Please keep in mind that this rating does not take into account details of your installation and are to be used as a guide only.
Severity Level: Critical
Critical severity vulnerabilities usually have most of the following characteristics:
- Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
- Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
For critical vulnerabilities, it is advised that customers patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, a mitigating factor could be if your installation is not accessible from the Internet.
Severity Level: High
High severity vulnerabilities usually have some of the following characteristics:
- The vulnerability is difficult to exploit.
- Exploitation could result in elevated privileges.
- Exploitation could result in a significant data loss or downtime.
Severity Level: Medium
Medium severity vulnerabilities usually have some of the following characteristics:
- Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
- Denial of service vulnerabilities that are difficult to set up.
- Exploits that require an attacker to reside on the same local network as the victim.
- Vulnerabilities where exploitation provides only very limited access.
- Vulnerabilities that require user privileges for successful exploitation.
Severity Level: Low
Low severity vulnerabilities typically have very little impact on an organization's business. Exploitation of such vulnerabilities usually requires local or physical system access. Vulnerabilities in third party code that are unreachable from Ogma's code may be downgraded to low severity.
Reporting a vulnerability
If you have discovered an unknown security vulnerability in Ogma, please get in touch with us via email: email@example.com