Streamlio puts the highest importance on the security of our products. As part of ensuring that security, Streamlio has put in place a process for reporting, evaluation, remediation and disclosure of security vulnerabilities that may exist in Streamlio products. Streamlio’s process supplements and builds on the processes established by The Apache Software Foundation and documented at https://apache.org/security/ for open source projects used in Streamlio products. Streamlio’s product security policy is summarized below.

Reporting

Streamlio performs both manual and automated assessments to identify potential vulnerabilities in Streamlio products. Potential vulnerabilities identified by these tests are evaluated by Streamlio staff using the process described in this security policy.

In addition to Streamlio’s own assessments to identify potential vulnerabilities in Streamlio products, external parties may report security vulnerabilities in Streamlio products by contacting Streamlio at security@streaml.io. Vulnerabilities in open source Apache Pulsar may be reported using the Apache security vulnerability reporting process explained at https://apache.org/security/. Streamlio strongly advises reporting of potential vulnerabilities using one of these two means before they are published to public forums. These reporting mechanisms are private, allowing Apache Pulsar committers and Streamlio personnel to evaluate and remediate these vulnerabilities in advance of public disclosure.

Evaluation

Streamlio’s policy is to evaluate all potential security vulnerabilities that are discovered internally or externally within three business days of discovery or notification.

In its evaluation, Streamlio uses the Common Vulnerability Scoring System Version 3, an industry-standard rating system for security incidents, to rate vulnerabilities. Scores are calculated using the best available analysis and metrics and are included in all vulnerability notices.

Remediation

Streamlio maintains the following policy for addressing security vulnerabilities:

• Streamlio product releases (including minor and major releases) will include cumulative fixes for vulnerabilities that are found, verified and fixed within the timeframe of the release.
• Streamlio will make reasonable efforts to issue releases to mitigate or fix vulnerabilities for all applicable and supported versions.
• In the case of critical risk, high impact vulnerabilities, Streamlio will make all reasonable efforts to expedite maintenance releases for all affected versions.
• In the case of critical risk, high impact vulnerabilities, Streamlio will make all reasonable efforts to supply patches, assuming that patches viable as a temporary remediation for customers who cannot immediately upgrade their Streamlio deployment.

Disclosure

Streamlio maintains the following disclosure policy:

• Streamlio will announce vulnerabilities via streaml.io/resource/security/notifications.
• Streamlio will not publicly announce security vulnerabilities until fixes are publicly available.
• For critical risk, high impact vulnerabilities, Streamlio may contact customers that are especially vulnerable in order to recommend immediate mitigation or remediation options.
• Streamlio will not release the exact details of vulnerabilities.