1E publishes security advisories concerning vulnerabilities that affect software which is incorporated into currently supported product versions.  As a result, customers may be required to apply mitigation, patch or update their installations of 1E products to address the vulnerabilities identified.

Process

When an issue is reported, 1E uses the Common Vulnerability Scoring System to rate vulnerability and requests a CVE number from MITRE

When vulnerabilities are reported to or found by 1E they are first reviewed by the 1E Security Group to determine the best course of action. Throughout the investigative process, 1E strives to work collaboratively with the source of the report (incident reporter) to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action. After the initial investigation is complete, results will be delivered to the incident reporter along with a plan for resolution and public disclosure. If the incident reporter disagrees with the conclusion, then 1E will make every effort to address those concerns.

When a vulnerability is made public, 1E will notify MITRE.  at which time the CVE is made visible in their database. NIST will also automatically add the CVE to their database.

In all security publications, 1E discloses information required for an end user to assess the impact of a vulnerability and any potential steps needed to protect their environment. 

For each published security bulletin 1E will provide a recommendation for remediation of the vulnerability. This may take the form of a mitigation, hotfix or update that may be applied to the affected product installation.