How OpenLogic handles vulnerabilities

OpenLogic monitors and addresses vulnerabilities in supported open-source frameworks after community support ends.

Types of vulnerabilities addressed

OpenLogic handles vulnerabilities from the following sources:

• Official CVEs: Publicly disclosed vulnerabilities listed in MITREs CVE database and the National Vulnerability Database (NVD)

• Undisclosed vulnerabilities: Issues reported by customers that haven't yet received a CVE ID

Proactive vs. reactive fixes

Proactive fixes are initiated when OpenLogic’s monitoring systems identify a CVE affecting a supported framework.

Reactive fixes are initiated when a customer reports a vulnerability.

Severity threshold

OpenLogic prioritizes vulnerabilities with a CVSS score of 7 or higher. These are considered high or critical severity.

Patch timeline

• Vulnerability fixes typically take 4 to 6 weeks to test and validate.

• Critical issues may be patched sooner, depending on scope and impact.

CVE disclosure process

If a customer reports a new vulnerability:

1. OpenLogic evaluates the issue.

2. If severity is high enough, OpenLogic develops a patch or workaround.

3. OpenLogic submits the issue to MITRE for CVE assignment before public disclosure.