Security Bug Fix Policy

Owned by Bruno Marotta
Jun 23, 2022

Ease Solutions makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in Ease Solutions products.

Scope

The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.

Security bug fix Service Level Objectives (SLO)

We have defined the following timeframes for fixing security issues in our products:

Accelerated Resolution Timeframes

These timeframes apply to all cloud-based Ease Solutions products and any other software or system that is running on Ease Solutions infrastructure.

  • Critical severity bugs to be fixed in the product within 2 weeks of being reported

  • High severity bugs to be fixed in the product within 4 weeks of being reported

  • Medium severity bugs to be fixed in the product within 6 weeks of being reported

  • Low severity bugs to be fixed in the product within 25 weeks of being reported

Extended Resolution Timeframes

These timeframes apply to all self-managed Ease Solutions products. A self-managed product is installed by customers on customer-managed systems.

  • CriticalHigh, and Medium severity bugs to be fixed in the product within 90 days of being reported

  • Low severity bugs to be fixed in the product within 180 days of being reported

Critical Vulnerabilities (self-managed products)

When a Critical security vulnerability is discovered by Ease Solutions or reported by a third party, Ease Solutions will issue a new, fixed release for the current version of the affected product as soon as possible.

The critical vulnerabilities resolution process does not apply to our Ease Solutions Cloud products as these services are always fixed by Ease Solutions without any additional action from customers.

Non-critical vulnerabilities

When a security issue of a High, Medium, or Low severity is discovered, Ease Solutions will include a fix in the next scheduled release.

You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.

Other information

The severity level of vulnerabilities is calculated based on the Common Vulnerability Scoring System.

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.