Security Upgrade Policy

This document defines the Security Upgrade Policy (SUP) for Stamus products.

Scope

The scope covers all officially supported commercial Stamus products listed with the latest stable version, for details see the currently supported table:

Product

Version

Stamus Central Server (SCS)

41.0.0

Stamus Network Probe

41.0.0

The scope is also defined by the sources used to build the products, this includes:

  • Debian Upstream Repository

  • Opensearch Upstream Repository

Process

Stamus is checking multiple sources on CVEs, Vulnerabilities, Updates and other indications that would require security related updates. This happens at least on a daily basis and is assisted by automated vulnerability scanning and auditing.

Classification

Known vulnerabilities will be classified in 3 different sections, based on the severity. The severity can be based on CVE scores, type of vulnerability, likelihood of exploitation, risk value and availability of PoCs. In addition to that, Stamus will also validate if the vulnerability is applicable, since some features are not used, workaround is in place or Stamus made custom modifications that are not affected by the vulnerability.

Severity

Color

Classification

Critical

Purple

CVE Score of 9 or higher, RCE

High

Redk

CVE Score of 7 or higher, LPE

Medium

Yellow

CVE Score of 4 or higher, RCE

Schedules

The severity defines the period that needs to be covered for the release of the upgrade.

Severity

Upgrade Period

Critical

within 1 month

High

within 3 month

Medium

within 6 month

Rollout

The upgrades will be prepared and need to go through a standard QA release process before being made available to the customer.

Stamus releases regular upgrades each month for the latest supported major version of the appliances. Those upgrades will be released in the first week of each month, unless stated otherwise prior to the scheduled release. Stamus might release urgent upgrades if the criticality justifies even sooner.

Release versioning

Stamus appliance releases follow the version numbering X.Y.Z. defined by:

  • X - Major version

  • Y - Minor version

  • Z - Security upgrade version