Skip to main content
Skip table of contents

CVE Policy

At D2iQ, our commitment to providing secure software solutions is paramount. We understand the critical importance of promptly addressing and mitigating security vulnerabilities to ensure the safety and trust of our customers and partners. This document outlines our policies and procedures regarding CVEs (Common Vulnerabilities and Exposures) to demonstrate our dedication to delivering software that is as secure as possible.

CVE Management:

Our procedure for managing CVE’s is explained in the sections below.

Scanning Policy:

  • Our primary objective is to deliver software that is free from critical security vulnerabilities (CVEs).

  • To achieve this, we conduct regular scans of our software components, including:

    • Kubernetes

    • D2iQ Platform applications (Traefik, Istio, …)

    • D2iQ Catalog applications (only versions that are compatible with the default Kubernetes version supported with that DKP release, shown in our docs: Workspace DKP Catalog Applications )

    • DKP Insights Add-on 

  • Scans are performed every 24 hours using the latest CVE database to identify and address potential vulnerabilities promptly. The scanner version and the CVE database version are published among the security scan results.

Shipping Policy:

  • Our goal is to ship software releases with no unmitigated Critical CVEs.

  • For major and minor releases, we aim to ensure that there are no known, unmitigated critical CVEs.

  • In the case of patch releases, if a critical CVE exists, it may be unmitigated if the only resolution involves upgrading a component to a new minor version.

  • Critical CVEs in patch releases will be listed in the release notes' "Known Issues" section.

  • We prioritize resolving these issues in the next minor release to maintain our commitment to security.

  • In the event that we discover a critical CVE for a release that is already Generally Available (GA), and if the mitigation requires a patch release, we commit to releasing a patch with the CVE mitigation within a maximum of 60 days from the date of discovery. This timeframe ensures that our customers receive prompt attention and protection against critical vulnerabilities, even for GA releases.

Known Issues:

  • If we become aware of a Critical CVE in any of our shipped applications, even if it is not (yet) mitigated, we will promptly add it to the D2iQ Security Updates page.

  • For each CVE, we will provide mitigation steps that customers should take to protect their systems.

  • We will also outline our plan for resolution in the "Mitigation" column of the report.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close