How OpenLogic handles vulnerabilities

OpenLogic monitors and addresses vulnerabilities in supported open-source frameworks after community support ends.

Types of vulnerabilities addressed

OpenLogic handles vulnerabilities from the following sources:

• Official CVEs: Publicly disclosed vulnerabilities listed in MITREs CVE database and the National Vulnerability Database (NVD)

• Undisclosed vulnerabilities: Issues reported by customers that haven't yet received a CVE ID

Proactive vs. reactive fixes

Proactive fixes are initiated when OpenLogic’s monitoring systems identify a CVE affecting a supported framework.

Reactive fixes are initiated when a customer reports a vulnerability.

Severity threshold

OpenLogic prioritizes vulnerabilities with a CVSS score of 7 or higher. These are considered high or critical severity.

Patch timeline

• Vulnerability fixes typically take 4 to 6 weeks to test and validate.

• Critical issues may be patched sooner, depending on scope and impact.

CVE disclosure process

If a customer reports a new vulnerability:

1. OpenLogic evaluates the issue.

2. If severity is high enough, OpenLogic develops a patch or workaround.

3. OpenLogic submits the issue to MITRE for CVE assignment before public disclosure.

Open Source Security Center CVEs dashboard

For information about the CVEs in all supported framework, see:

• Tomcat

• Kafka

• Spring Framework

• Spring Boot

• AngularJS

• Bootstrap

• CentOS Combined

• CentOS 6

• CentOS 7

• CentOS 8