Security Vulnerabilities. How are they handled?

Hi. We subscribe to CVE alerts to make sure that we keep all our internal software up to date, regarding security vulnerabilities.

I’m not able to find Flowable listed in the CVE database.
How do you guys handle security issues that are reported and fixed?
Where can I see a list of these? It would be great if they can be added to CVE because people could then use existing integrations to handle any updates that are required to stay safe.

When there is a security problem, we always publish a fix version asap. We’ve got automated vulnerability scanning (and everything that github adds by default, like dependency scanning). I’m not familiar with the CVE process - how does it work (I know what it is - not how a software library can apply for it)?

Like you, I’ve never had to create a new vendor on CVE, but here are some links that may be relevant:

One thing that is in there is, “CVE is not a database of vulnerabilities, but allows databases to share IDs”
Maybe there are other organisations that run these databases where you could submit your company as a vendor and then submit any reports.
From what I understand these are called CNAs.

Would this be something that Flowable would consider?

I found this one that may be good for you:

GitHub, Inc.
GitHub currently only covers CVEs requested by software maintainers using the GitHub Security Advisories feature

I’m not sure if you use that feature.

This is obviously not a decision I can make alone. To be honest, I’ll need to read up on things and see what effort/how much this is and what the implications are.

We do. We get notifications when this happens.

Looks like you would be able to use this UI in Github: