Table of Contents
Security Policy
Describes how RequirementONE will respond and fix security issues, depending on the issue severity. This policy applies to the RequirementONE Enterprise built products, such as, RequirementONE Content Services, RequirementONE Process Services, and the RequirementONE built Add-ons modules.
Security incident response
When a security issue is discovered, RequirementONE will:
- Direct the security incident to the appropriate RequirementONE product subject matter expert and RequirementONE Security Architect for evaluation of the incident's scope and severity.
- Make one or more product fixes available, if appropriate.
- Inform customers and partners
Severity Levels
RequirementONE classifies security issues according to a severity level of High, Medium, Low. If warranted, a security issue may be re-classified and the customer and/or partner will be notified as appropriate.
Severity Level: High
A security issue is High if the vulnerability was discovered externally, is known about externally or is being actively exploited and one or more of the following is true:
- Customer data can be compromised
- The server running the application can be compromised
- A Denial of Service (DoS) can be caused, rendering the system unavailable .
Severity Level: Medium
A security issue is Medium if either of the following are true:
- The issue would otherwise be High severity but the issue was discovered internally and/or is not believed to be known externally
- The issue is a less serious vulnerability.
Severity Level: Low
'Low' refers to trivial vulnerabilities which only pose a marginal or insignificant risk.
Fix Versions
Follows the fix version policy RequirementONE Software will apply for security issues:
- High severity issues will be addressed as quickly as possible on all SaaS and Private Cloud instances in an emergency maintenance window.
- Medium severity issues will be addressed in the next scheduled maintenance window.
- Low severity issues will be addressed in the next maintenance release.
Release of Security Notifications
RequirementONE notifies customers and partners in the following manner:
- For High severity issues, RequirementONE:
- releases the version containing the fix and then sends a security alert email to all customers and partners
- publishes a security alert on the RequirementONE Helpdesk with details of the issue.
- Full details of the vulnerability will be publicly released but only after customers and partners have been given reasonable time to make any adjustments.
- For Medium severity issues, RequirementONE:
- releases the version containing the fix
- publishes a security alert on the RequirementONE Support Portal with details of the issue.
- For Low severity issues, RequirementONE:
- the fix is documented as part of the release notes for the maintenance release.
Reporting a security issue to RequirementONE
Please report all security issues by logging a support case via the RequirementONE Help Desk or by sending an email to helpdesk@RequirementONE.com to ensure that the information does not enter the public domain prematurely.
Enhancement Policy
RequirementONE loves to hear of improvements, suggestions, and recommendations for future releases. The Enhancement policy applies to these items.
What is an enhancement request?
An enhancement request is a piece of functionality that was not specified at the time that the code was written, or an extension to what is already present. Undocumented functionality is considered an enhancement request.
How are enhancement requests created?
Enhancement requests are accepted and created by the customer success team using a helpdesk case along with an associated Engineering requirement.
What happens to my enhancement requests?
Enhancement requests are logged as business requirements, ready for review by the product manager.
As the planning for a new release gets underway, enhancements requests are reviewed for consideration, and a select few are converted to functional requirements and added to the backlog.
Once an enhancement request has been implemented, the original enhancement request is closed and the requester is notified.
Can enhancement requests be escalated?
If you are a customer or partner, then you can escalate your enhancement via Customer Success or your Customer Success Manager.
Premier Customer Success Policy
Premier Customer Success has a few unique policy requirements around Premier Customer Success personnel.
Customer Success Managers (CSM)
The CSM is designated to a named customer account. They work normal RequirementONE business hours for the time zone in which they are based and adhere to the RequirementONE published holiday calendar.
Outside of these times, RequirementONE will meet our customer success obligations using the normal RequirementONE channels, including priority phone access and the RequirementONE Helpdesk. Premier Customer Success service level targets and other parts of the Premier Customer Success program remain in force.
A CSM may take reasonable time off as needed for illness, vacation, training and other internal company needs. During times of absence, accounts are temporarily reassigned to another CSM for handling.
Should a period of extended absence of exceed two weeks, RequirementONE will provision a backup resource and coordinate a hand-off
Comments
0 comments
Article is closed for comments.