Scope

The following describes Tracer’s systematic way to address vulnerabilities and when we resolve security bugs in our products. 

Security bug fix Service Level Objectives

Tracer sets service level objectives for fixing security vulnerabilities based on the vulnerability rank. Resources like the Common Vulnerabilities and Exposures (or similar) could be utilized when appropriate to aid in answering the above questions.  

RankDescriptionFix Timeline (Business Days)
CriticalVulnerabilities that score in the critical range usually have most of the following characteristics:Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.5 days
HighVulnerabilities that score in the high range usually have some of the following characteristics:The vulnerability is difficult to exploit.Exploitation could result in elevated privileges.Exploitation could result in a significant data loss or downtime.10 days
MediumVulnerabilities that score in the medium range usually have some of the following characteristics:Exploits that require an attacker to reside on the same local network as the victim.Vulnerabilities where exploitation provides only very limited access.Vulnerabilities that require user privileges for successful exploitation.20 days
LowVulnerabilities in the low range typically have very little impact on an organization’s business. Exploitation of such vulnerabilities usually requires local or physical system access.60 days

Non-critical vulnerabilities

When a security issue of Medium or Low severity is discovered, Tracer will aim to release a fix within the timeline objectives listed above. In certain circumstances Tracer may, however, defer addressing the fix based on available resources and company objectives. 

Future Updates

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.