SECURITY VULNERABILITY PROCESS

Scope

The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.

Security bug fix Service Level Agreement (SLA)

We have defined the following timeframes for fixing security issues in our products:

• Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 4 weeks of being reported
• High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 6 weeks of being reported
• Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 8 weeks of being reported

Resolution policies

When a Critical security vulnerability is discovered by us or reported by a third party, following will be undertaken:

• Issue a new, fixed release for the cloud deployment; All clients be protected provided users reload their web browser

Non-critical vulnerabilities:

• When a security issue of a High, Medium or Low severity is discovered, we will include a fix in the next scheduled release
• The only requirement is for users to refresh the web browser session when the fix is advertised

Monitoring

• We use a combination of internal and Detectify service to ensure high standards of awareness of threats
• Customer data configuration changes are auditable
• Internal policies include mandatory 2-factor authentication, staged environments with segregated access permissions, client data access is restricted and audited

FAQ

What is the deployment solution for Neelix?

• We do not run own physical infrastructure. Instead, we leverage the power and security of Google Cloud Platform
• Application and datastore are hosted in GCP - host region is us-central
• Data is encrypted at rest

What is a ‘release’?

• A release is a version number or tag which contains new features or changes to existing features