CVE Policy
At D2iQ, our commitment to providing secure software solutions is paramount. We understand the critical importance of promptly addressing and mitigating security vulnerabilities. To provide assurances to our customers about the safety and trust of our Software secure development program, we have created this document to outline our policies and procedures regarding CVEs (Common Vulnerabilities and Exposures) that are discovered in our Software.
CVE Management:
Our procedure for managing CVE’s is explained in the sections below.
Scanning Policy:
Our primary objective is to provide software that is free from critical security vulnerabilities (CVEs) at the time of delivery.
We conduct regular scans of our software components, including:
Kubernetes
D2iQ Platform applications (Traefik, Istio, …)
D2iQ Catalog applications (only versions that are compatible with the default Kubernetes version supported with that DKP release, shown in our docs: Workspace DKP Catalog Applications)
DKP Insights Add-on
Scans are performed every 24 hours using the latest CVE database to identify potential vulnerabilities promptly. When results are published, the CVE identifier, criticality, and release tied to a mitigation or remediation will be included with those results.
Security Advisories are published for discovered Critical CVEs
Shipping Policy:
Our objective is to ship software releases that do not have Critical CVEs where a mitigation or remediation is not available.
For major and minor releases, we aim to ensure that there are no known, unmitigated critical CVEs.
A patch for a critical CVE may be provided in a minor release or a patch release dependent on the component.
We prioritize resolving these issues in the next minor release to maintain our commitment to security.
In the event that we discover a critical CVE a Generally Available (GA) version of our Software, a mitigation or patch release, will be targeted for release within 45 days from the date of publication or development, as applicable.
More Information
For more information on our secure development program and process, please refer to: Nutanix Support & Insights.