Security Issues Procedure
At BloomReach, we take security very seriously. This page describes what to do if you discover a security issue in a BloomReach product, and how BloomReach deals with security issues.
What to do if you discover a security issue?
If you discover a potentially harmful security issue in a BloomReach product, please contact us at moc.hcaermoolb@ytiruces-oppih immediately, so we can initiate the process described below.
How does BloomReach handle security issues?
We have the following process in place to deal with security-related issues:
Any potentially harmful security issue must be reported by sending an e-mail to moc.hcaermoolb@ytiruces-oppih. This e-mail address is continuously monitored by product stakeholders from several different departments within our company.
The issue reported to moc.hcaermoolb@ytiruces-oppih is assessed by the product stakeholders within one business day.
If the issue is assessed as being a potentially harmful security issue, it is entered in an internal issue tracking system and assigned to the appropriate team. The reporter is informed that the issue is under investigation.
If the issue is assessed as not being a security-related issue, the reporter is informed through a standard response that this is not the appropriate channel to report this issue. The issue is then forwarded to the helpdesk who will contact the reporter to discuss if further assistance is required.
The team assigned to the issue verifies the reported behavior. The outcome of this effort (verified or not reproducible) is communicated to the reporter of the issue.
The team assigned to the verified issue categorises the issue as major or minor. For major issues, i.e. issues with an OWASP rating of MEDIUM or higher, a dedicated hot-fix version is created. For minor issues, the fix is included in the next regular maintenance release.
All BloomReach Experience customers are informed about the security fix and encouraged to apply the hotfix or maintenance release as soon as possible.
The Hippo CMS community is informed about the security fix six weeks after informing our customers. For major issues, a fix equivalent to the hotfix is included in a regular maintenance release, and each fixed security issue is published on this site (see link below). This provides BloomReach Experience customers with sufficient time to apply the hotfix or maintenance release before the security fix is made public. Once the major security fix is public, BloomReach Experience customers can upgrade to the public maintenance release and drop the hotfix.