CVE lifecycle handling

Review how Solo handles the lifecycle of Common Vulnerability and Exposures (CVEs).

Overview

The end-to-end lifecycle for CVE handing consists of the following stages:

Figure: Lifecycle stages for CVE handling

Stage Description
Inbound Inbound channels for reporting potential CVEs that affect Solo.io products, including FedRAMP requirements for monthly vendor responses to security scans.
Tracking Continuous monitoring of reported CVEs with details on assessment and remediation status.
Analysis Determination of whether a given CVE affects Solo.io products, the CVE severity, and suggested remediation plan if required.
Remediation A change introduced to our product (code fix, dependency bump, etc.) that is incorporated into a product release.
Reporting Communication of CVE-related information to parties outside of Solo.io, including customers.

CVE lifecycle stages

Learn more about each CVE lifecycle stage.

Inbound

The following sources are used to determine product exposure to CVEs:

Tracking

All reported CVEs that meet the minimum threshold enter the tracking process step. The minimal threshold for tracking includes:

Embargoed CVEs are tracked in a separate repository and subject to the constraints set forth by the associated upstream security workgroup.

Analysis

Analysis of reported CVEs consists of the following steps:

Remediation

Remediation of a CVE involves introducing a fix to the affected code and releasing the associated component. The process and timing for these activities can be separated into two categories:

Fixes for CVEs that impact dependencies are subject to the ability of the third party community to accept these fixes and to incorporate them into a release.

Reporting

Security scan results for product images are published in the Solo.io product documentation with each release.

In addition to public reporting on security scanning, Solo.io works directly with customers on FedRAMP reporting and compliance requirements related to CVE scan results. Solo reviews customer scan reports, evaluates CVEs, remediates CVEs based on Solo.io’s analysis, and provides vendor responses to identified CVEs.

Certain CVEs require special attention due to their disclosure status, severity, or heightened awareness (e.g. Heartbleed, Log4j). In these cases, Solo.io may use additional reporting channels, including direct email and the Solo.io blog, to communicate CVE information.

Updates & Questions

Solo reserves the right to change this process in its sole discretion. Solo.io’s security processes are reviewed regularly to ensure compliance with industry standards and the current security landscape. For questions or additional details, email security@solo.io.