Skip to content

Security monitoring procedure

Jump to bottom Edit New page
Jeroen Jansen van Rosendaal edited this page Apr 21, 2023 · 4 revisions

This process describes how critical and high security findings are solved, monitored and registered.

Releases

  • Previous release (n-1)
  • Current release (n)
  • Upcoming release (n+1)

Process

Detecting

We use dependabot in our github environment and snyk in our local CI to detect potential CVE's

Fixing

  1. A CVE or other security issue is detected.
  2. The core development team determines impact
    • Severity of the CVE
    • Usage of code/library containing the CVE (test/compile/provided)
    • Is a fix available (if not are any alternatives available)
    • What is the impact of the fix to the framework
  3. Based on the analysis we determine the FF severity and the plan of attack
    • critical --> needs immediate fix for (n-1 / n / n+1) and potentially creation of a new version
    • high --> needs an immediate fix implemented on for the next bugfix/security release (n-1 / n / n+1)
    • medium --> fixed as soon as possible fix implemented for the next release (n / n+1) (depends on impact on framework)
    • low --> fixed on (n+1)

_Critical _

Add a custom footer
Clone this wiki locally