This content is dedicated to our next version. It is work in progress: its content will evolve until the new version is released.

Before that time, it cannot be considered as official.

Vulnerability Reporting Policy

This policy describes how technical Vulnerabilities should be handled for Bonita.

It sets forth the principles under which Vulnerabilities should be discussed, managed and communicated about.

Terms

Vulnerability

As defined by the ISO 27005 definition, see bellow.

Bonita Security Team

The Bonita Security Team handles tasks related to Vulnerability management regarding the Bonita solution.
It’s job is to animate the various activities to ensure Bonita components are as secured as possible.
The Bonita Security Team can be contacted by email at bonitasecurity@bonitasoft.com
It is not responsible for the whole security at Bonitasoft (infrastructures and bonitasoft.com website are the responsibility of IT).

Finding

A Finding is a set of information concerning an eventual Vulnerability. It may be an actual Vulnerability, or just suspicions. The contained details are described in Finding details and logged in a Jira ticket.
It may come directly from the Bonita components themselves, from their dependencies, from the environment, or any combination.

What is a technical vulnerability?

A vulnerability is commonly defined as “an inherent weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source.”

The software development process is complicated, and its output in the form of software programs is rarely bug free. Most of these bugs simply affect the functionality of the software so that it does not work as intended. However, if manipulated in the correct way, some can allow an attacker to gain some form of advantage or access which was not intended by the developer. This type of bug is considered to be a software vulnerability.

These vulnerabilities are constantly being found and corrected via software updates or patches. Unfortunately, it is not always the developer or user who discovers these vulnerabilities. When discovered by a potential attacker the vulnerability becomes something to be exploited for gain and kept secret for as long as possible. A newly discovered vulnerability is often referred to as a “zero-day exploit” and is difficult to defend against.

Bonitasoft’s policy with respect to technical vulnerabilities is to be aware of them and to close them where possible, either directly or via other means.

How to report a Vulnerability or Finding?

If you think you have discovered a Vulnerability, you should report your Finding directly to bonitasecurity@bonitasoft.com, so that the Bonita Security Team can manage it in a dedicated Jira project. You must not disclose it directly on the public forums or any other website. In case of doubt, contact the Bonita Security Team, who will assess the severity and whether there actually is a vulnerability.

Only Bonita developers at Bonitasoft have direct access to the Jira project. They can visualize them and create Finding tickets directly.

Finding details

When reporting a Finding by mail to the Bonita Security Team, you should include the following details:

  • Whether you want to be mentioned as the reporter and how we should address you.

    you may remain anonymous if you prefer

    you may indicate a full name (e.g. Martin L. King) or a pseudonym, not an email nor a company name

    reporter is mentioned in the release note and in the report to MITRE, although MITRE does not include it in the public CVE entry

  • A description with details about the suspected vulnerability

    the description should not contain any confidential information

  • A link to the source whenever applicable (especially in case of dependency’s Vulnerability)

    stick to official sources or common websites, as suspicious links will not be opened

  • The components and versions where you found it

  • The concerned System environment (even when not specific to this environment)

Disclosure

The reporter of a Finding will be informed of the existence of a related Vulnerability and of the resolution progression.
If it turns out that a Finding is actually not related to a Bonita Vulnerability, the Finding is handled as any other bug.

Vulnerabilities are not immediately disclosed to the public. Bonita Vulnerabilities and associated Findings are classified as confidential, as they contain information that may compromise the integrity of others' Bonita installations.
Once a Vulnerability is solved, all concerned versions of Bonita still under maintenance are fixed with a new release. Bonita Subscription clients are informed of these new releases and strongly advised to update as soon as possible to the suitable maintenance version. They are informed of the fixed vulnerabilities, which remain confidential at this point and are not mentioned in the release note.
Two weeks (except holidays) after a Vulnerability is fixed on all maintenance versions, the release notes are updated publicly, with mentions of the fixed Vulnerabilities. The Vulnerabilities details are no longer confidential and the corresponding MITRE CVE entries gets published. There is no maintenance release commitment on the Bonita Community edition and Community users may have to wait for the next Community version to benefit from the Vulnerability fixes.