Mambo.IO works hard to create products that our customers trust in critical operations of their business. Therefore we take great care to create products which are built with security in mind. However we recognise that security is difficult and we appreciate it when our customers notify us of any problems or concerns you have with our products. The Security Policy is here to document our commitment to resolving security issues as effectively as possible.
Security Severity Definitions
Mambo.IO categorises vulnerabilities into four distinct classes described below.
Severity Level: Critical
Critical vulnerabilities usually have the following characteristics:
- Vulnerabilities which result in the compromise of user data.
- Vulnerabilities which result in root level access of servers or infrastructure components.
- Vulnerabilities for which the information required to exploit is readily available to attackers.
- Vulnerabilities which are straight forward and do not require any form of special authentication or knowledge.
For critical vulnerabilities it is recommended that you upgrade as quickly as possible to a patched version of the product.
Severity Level: High
High vulnerabilities usually have the following characteristics:
- Vulnerabilities which do not result in root level access of servers or infrastructure.
- Vulnerabilities which do not result in significant compromise of user data.
- Vulnerabilities which are difficult to exploit by attackers.
Severity Level: Medium
Medium vulnerabilities usually have the following characteristics:
- Vulnerabilities which affect only very specific configurations.
- Vulnerabilities which require the attackers to have access to the local network.
- Vulnerabilities which provide limited access to servers or infrastructure.
- Vulnerabilities which require the attacker to perform social engineering.
Severity Level: Low
Low vulnerabilities usually have the following characteristics:
- Vulnerabilities which have low-to-no business impact on the organisation.
- Vulnerabilities which require physical access to the systems.
- Vulnerabilities which are extremely difficult to perform.
Security Vulnerability Response
When a security issue is discovered or reported, the Mambo Support Team will take the following steps:
- Send the issue to our Security Architect to determine the scope and severity of the issue.
- Release updated versions of our products where the issue is resolved as soon as possible.
- Communicate to our customers and partners that the new release is available.
Product Fix Versions
Security issues will be handled in accordance to their severity level and the support phase of the product:
- Critical: work on a fix or workaround will begin immediately. The fix or workaround will be provided to customers in the shortest commercially reasonable time. This will apply to products in the Full Support Phase or in the Limited Support Phase.
- High: a fix will be provided with the next planned Support Package or Release of the product and where relevant a Hot Fix may be provided. This will apply to products in the Full Support Phase or in the Limited Support Phase.
- Medium and Low: a fix will be delivered with the next release of the product. This will apply to products in the Full Support Phase.
When a fix or workaround for a vulnerability becomes available, Mambo.IO will notify its customers in the following ways:
- The Security Advisory page will be updated at the time we release a fix for the vulnerability.
- Customers will be notified by email of the security issue and of the availability of a fix or workaround.
- Customers who raised the security issue will be notified through the Support Portal.
Reporting Security Issues
All security issues should be reported by raising a support case via the Support Portal. If you do not have access to the Support Portal, please email us at firstname.lastname@example.org to avoid information about the security vulnerability becoming public.