Security Upgrade Policy¶
This document defines the Security Upgrade Policy (SUP) for Stamus products.
Scope¶
The scope covers all officially supported commercial Stamus products listed with the latest stable version, for details see the currently supported table:
Product |
Version |
|---|---|
Stamus Central Server (SCS) |
41.0.0 |
Stamus Network Probe |
41.0.0 |
The scope is also defined by the sources used to build the products, this includes:
Debian Upstream Repository
Opensearch Upstream Repository
Process¶
Stamus is checking multiple sources on CVEs, Vulnerabilities, Updates and other indications that would require security related updates. This happens at least on a daily basis and is assisted by automated vulnerability scanning and auditing.
Classification¶
Known vulnerabilities will be classified in 3 different sections, based on the severity. The severity can be based on CVE scores, type of vulnerability, likelihood of exploitation, risk value and availability of PoCs. In addition to that, Stamus will also validate if the vulnerability is applicable, since some features are not used, workaround is in place or Stamus made custom modifications that are not affected by the vulnerability.
Severity |
Color |
Classification |
|---|---|---|
Critical |
Purple |
CVE Score of 9 or higher, RCE |
High |
Redk |
CVE Score of 7 or higher, LPE |
Medium |
Yellow |
CVE Score of 4 or higher, RCE |
Schedules¶
The severity defines the period that needs to be covered for the release of the upgrade.
Severity |
Upgrade Period |
|---|---|
Critical |
within 1 month |
High |
within 3 month |
Medium |
within 6 month |
Rollout¶
The upgrades will be prepared and need to go through a standard QA release process before being made available to the customer.
Stamus releases regular upgrades each month for the latest supported major version of the appliances. Those upgrades will be released in the first week of each month, unless stated otherwise prior to the scheduled release. Stamus might release urgent upgrades if the criticality justifies even sooner.
Release versioning¶
Stamus appliance releases follow the version numbering X.Y.Z. defined by:
X - Major version
Y - Minor version
Z - Security upgrade version