Security

Introduction

At Bloomreach, we take security very seriously. This page describes what to do if you discover a security issue in a Bloomreach product, how Bloomreach deals with security issues, and how to keep your implementation up-to-date with the latest security updates.

• What to do if you discover a security issue?
• How does Bloomreach handle security issues?
• How to keep your Bloomreach Experience Manager / Bloomreach Experience Manager implementation up-to-date with the latest security updates?
• Security Policy for End-of-Life Libraries in BrXM

What to do if you discover a security issue?

If you discover a potentially harmful security issue in a Bloomreach product, please contact us at moc.hcaermoolb@ytiruces-mx immediately, so we can initiate the process described below.

How does Bloomreach handle security issues?

We have the following process in place to deal with security-related issues:

1. Report Issue
   Any potentially harmful security issue must be reported by sending an e-mail to moc.hcaermoolb@ytiruces-mx. This e-mail address is continuously monitored by product stakeholders from several different departments within our company.

2. Assess Issue
   The issue reported to moc.hcaermoolb@ytiruces-mx is assessed by the product stakeholders within one business day.

   1. If the issue is assessed as being a potentially harmful security issue, it is entered in an internal issue tracking system and assigned to the appropriate team. The reporter is informed that the issue is under investigation.

   2. If the issue is assessed as not being a security-related issue, the reporter is informed through a standard response that this is not the appropriate channel to report this issue. The issue is then forwarded to the helpdesk who will contact the reporter to discuss if further assistance is required.

3. Verify Issue
   The team assigned to the issue verifies the reported behavior. The outcome of this effort (verified or not reproducible) is communicated to the reporter of the issue.

4. Fix Issue
   The team assigned to the verified issue categorises the issue as major or minor. For major issues, meaning issues with an OWASP rating of MEDIUM or higher, a dedicated hot-fix version may be created if deemed necessary. For all issues, the fix is included in the next regular maintenance release.

5. Inform Customers
   All Bloomreach Experience Manager customers are informed about the security fix and encouraged to apply the hotfix or maintenance release as soon as possible.

6. Inform Community
   The fix is included in the next regular maintenance release, at which time each fixed security issue is published on this site (see link below) to inform the Bloomreach Experience Manager community. Once a major security fix, for which a hotfix was created, is public, Bloomreach Experience Manager customers can upgrade to the latest maintenance release and drop the hotfix. Maintenance releases becomes publicly available to the Bloomreach Experience Manager community after 24 months.

How to keep your Bloomreach Experience Manager / Bloomreach Experience Manager implementation up-to-date with the latest security updates

Bloomreach Experience Manager customers are directly informed of new security updates and are provided with hotfixes. The Bloomreach Experience Manager community is informed of new security updates through the page below and can upgrade to the latest maintenance release.

• Bloomreach Experience Manager Security Updates
• Bloomreach Experience Manager False Positive Security Vulnerabilities

Security Policy for End-of-Life Libraries in BrXM

At Bloomreach, safeguarding the integrity and performance of the BrXM platform is a priority that guides our actions. In light of this commitment, we’ve refined our approach to managing end-of-life libraries and the necessary backward incompatible changes they may bring about. Here’s an overview of our policy:

1. Major Version Updates for Enhanced Compatibility: In instances where end-of-life libraries require us to introduce changes that are not backward compatible, these will be implemented in the subsequent major version release of BrXM. This strategy is designed to ensure that updates within minor versions remain stable and fully compatible for all our users.

2. Addressing Vulnerabilities in End-of-Life Libraries: We are aware that certain minor versions of BrXM might include end-of-life libraries, potentially leaving them exposed to vulnerabilities for which no patches exist. Despite our best efforts to secure our platform, some risks may be unavoidable due to the dependencies on third-party library updates.

3. Proactive Steps for Optimal Security: The most recent major versions of BrXM are equipped with essential security enhancements and patches, targeting vulnerabilities linked to end-of-life libraries. Operating on older BrXM versions could subject your applications to unnecessary security threats, particularly if those versions depend on unsupported or unmaintained libraries. It’s important to note that updating end-of-life libraries which introduce backward incompatible changes is a process reserved for major releases, as it cannot be accommodated within minor version updates.

4. Why Upgrading Matters: Transitioning to the latest major version of BrXM is vital for safeguarding the security, reliability, and overall performance of your digital experience platform. We urge you to initiate your upgrade plan promptly to leverage the comprehensive benefits offered by the latest version.

Your proactive engagement in maintaining the security and efficiency of your platform is invaluable. We’re here to support you every step of the way as you plan and execute your upgrade to the newest version of BrXM.