Streamlio policy for reporting, remediation and disclosure of security vulnerabilities in Streamlio products
Streamlio puts the highest importance on the security of our products. As part of ensuring that security, Streamlio has put in place a process for reporting, evaluation, remediation and disclosure of security vulnerabilities that may exist in Streamlio products. Streamlio’s process supplements and builds on the processes established by The Apache Software Foundation and documented at https://apache.org/security/ for open source projects used in Streamlio products. Streamlio’s product security policy is summarized below.
Streamlio performs both manual and automated assessments to identify potential vulnerabilities in Streamlio products. Potential vulnerabilities identified by these tests are evaluated by Streamlio staff using the process described in this security policy.
In addition to Streamlio’s own assessments to identify potential vulnerabilities in Streamlio products, external parties may report security vulnerabilities in Streamlio products by contacting Streamlio at security@streaml.io. Vulnerabilities in open source Apache Pulsar may be reported using the Apache security vulnerability reporting process explained at https://apache.org/security/. Streamlio strongly advises reporting of potential vulnerabilities using one of these two means before they are published to public forums. These reporting mechanisms are private, allowing Apache Pulsar committers and Streamlio personnel to evaluate and remediate these vulnerabilities in advance of public disclosure.
Streamlio’s policy is to evaluate all potential security vulnerabilities that are discovered internally or externally within three business days of discovery or notification.
In its evaluation, Streamlio uses the Common Vulnerability Scoring System Version 3, an industry-standard rating system for security incidents, to rate vulnerabilities. Scores are calculated using the best available analysis and metrics and are included in all vulnerability notices.
Streamlio maintains the following policy for addressing security vulnerabilities:
Streamlio maintains the following disclosure policy: