Security and Vulnerability Handling Process
Critical security vulnerabilities are announced on mailing lists from suppliers, on security newsletters, by MELANI, and by many other sources. This security advisories are analysed and if a vulnerability affects the system directly, the update is planned as soon as possible.
Urgent upgrades are assessed and planned immediately and less urgent vulnerabilities are patched according to our maintenance process.
Our maintenance process ensures regular system updates (there are some exceptions on customer’s systems which are maintained according to special agreements). We manage server systems based on Ubuntu and RedHat. These two big players usually provide updates rapidly. With this regular maintenance the known vulnerabilities are eliminated within one week.
Internal security incidents are reported according our ISO27001 certified incident management process.
Our Responsible Ops engineers are supervising our monitoring dashboard during office hours according to our Monitoring Concept. The Responsible Ops engineers are able to react quickly during office hours.
Customers can report vulnerabilities to VSHN according their Service Level Agreement.
We regularly discuss security issues in our vshn.chat #security channel.
Our standard procedure to handle security issues or vulnerabilities.
Someone (customer, employee, Responsible Ops, etc.) become alert of a vulnerability.
Ticket is created in control.vshn.net.
If it’s a critical vulnerability it’s announced in our chat and an instant task force starts discussing potential solution paths. Depending on the severity we are following Emergency Communication Channels.
If an immediate action within 24h is required, the affected systems will be updated. Because of our flexible working philosophy there is always someone found who can handle the update.
Such maintenance work is announced via:
VSHN doesn’t actively supervise vulnerability announcements outside office hours.
Customers with a 24/7 contract who become aware of a critical vulnerability should…
The on-call engineer will assess the issue and has the possibility to call 2nd level on-call engineers, if there is a bigger problem to tackle down.
We’re subscribed to the most important security announcement lists, such as: