Publishing Policy
When a critical severity security vulnerability is discovered and resolved, we will inform customers through the following mechanisms:
- We will post a security advisory on https://confluence.xpand-it.com/display/XPORTER/Security+Advisories at the same time as releasing a fix for the vulnerability.
- We will send an email copy of all critical security advisories to the technical contacts we have in our database.
If you want to track non-critical severity security vulnerabilities, you need to monitor the issue trackers for the relevant products on https://jira.xpand-it.com/, for example, https://jira.xpand-it.com/browse/XPORTER for Xporter for Jira Server and Data Center. Security issues are marked with security labels: security_vulnerability_critical, security_vulnerability_high, security_vulnerability_medium, security_vulnerability_low).
All security issues will be listed in the release notes of the release where they have been fixed, similar to other bugs.
Advisories
- Security Advisory 2020-04-29 - Blind SQL Injection on the Audit Log and RCE on Post Functions and Scheduled Reports
- Security Advisory - July, 2021
- Security Advisory - March, 2022
- Security Advisory - May, 2022