Security
We take security seriously and use various measures to ensure the safety of our products. Our security policies include:
- Regular vulnerability scanning using industry-standard tools.
- We treat vulnerabilities reports as our priority. This means that we attempt to fix them as quickly as possible, therefore, we will release a hotfix for any major security vulnerability found in the most recent version of our SDK/server.
- We only use reputable 3rd party libraries and update them regularly
Reporting a Vulnerability¶
If you discover a security vulnerability, please report it to us by submitting a request in our Service Desk Portal. Include the details of the vulnerability, affected versions, and any known mitigations.
Vulnerability Scanning¶
We run vulnerability scans periodically on all components of our product, including:
- C++ SDK
- Python SDK
- Java Wrapper
- API Server
We use both open-source and proprietary vulnerability scanners such as Trivy and Veracode.
CVE History¶
Below is a table of the latest CVEs we have fixed:
| CVE | Priority | Type | Fixed Version |
|---|---|---|---|
| CVE-2013-4235 | Low | System | 3.0.0 |
| CVE-2016-2568 | Low | System | 3.0.0 |
| CVE-2016-2781 | Low | System | 3.0.0 |
| CVE-2022-3219 | Low | System | 3.0.0 |
| CVE-2022-41409 | Low | System | 3.0.0 |
| CVE-2023-7008 | Low | System | 3.0.0 |
| CVE-2023-25193 | Low | System | 3.0.0 |
| CVE-2023-26604 | Low | System | 3.0.0 |
| CVE-2023-29383 | Low | System | 3.0.0 |
| CVE-2023-34969 | Low | System | 3.0.0 |
| CVE-2023-45918 | Low | System | 3.0.0 |
| CVE-2023-50495 | Low | System | 3.0.0 |
| CVE-2024-2236 | Medium | System | 3.0.0 |
| CVE-2024-11168 | Medium | System | 3.0.0 |
| CVE-2024-21208 | Low | System | 3.0.0 |
| CVE-2024-21210 | Low | System | 3.0.0 |
| CVE-2024-21217 | Low | System | 3.0.0 |
| CVE-2024-21235 | Medium | System | 3.0.0 |
| CVE-2024-26461 | Low | System | 3.0.0 |
| CVE-2024-26462 | Medium | System | 3.0.0 |
| CVE-2024-52533 | Medium | System | 3.0.0 |
| CVE-2024-52615 | Medium | System | 3.0.0 |
| CVE-2024-52616 | Medium | System | 3.0.0 |
| CVE-2024-37891 | Low | System | 2.5.1 |
| CVE-2024-47175 | Medium | System | 2.5.1 |
| CVE-2024-38820 | Medium | Java | 2.5.1 |
| CVE-2024-38821 | Critical | Java | 2.5.1 |
| CVE-2016-1585 | Medium | System | 2.5.0 |
| CVE-2023-7216 | Medium | System | 2.5.0 |
| CVE-2023-27043 | Medium | System | 2.5.0 |
| CVE-2024-0397 | Medium | System | 2.5.0 |
| CVE-2024-2511 | Low | System | 2.5.0 |
| CVE-2024-4032 | Low | System | 2.5.0 |
| CVE-2024-4741 | Low | System | 2.5.0 |
| CVE-2024-5535 | Low | System | 2.5.0 |
| CVE-2024-6232 | Medium | System | 2.5.0 |
| CVE-2024-6345 | Medium | System | 2.5.0 |
| CVE-2024-6923 | Medium | System | 2.5.0 |
| CVE-2024-7264 | Medium | System | 2.5.0 |
| CVE-2024-7592 | Low | System | 2.5.0 |
| CVE-2024-8088 | Medium | System | 2.5.0 |
| CVE-2024-8096 | Medium | System | 2.5.0 |
| CVE-2024-21131 | Medium | System | 2.5.0 |
| CVE-2024-21138 | Medium | System | 2.5.0 |
| CVE-2024-21140 | Medium | System | 2.5.0 |
| CVE-2024-21145 | Medium | System | 2.5.0 |
| CVE-2024-21147 | Medium | System | 2.5.0 |
| CVE-2024-37370 | Medium | System | 2.5.0 |
| CVE-2024-37371 | Medium | System | 2.5.0 |
| CVE-2024-45490 | Medium | System | 2.5.0 |
| CVE-2024-45491 | Medium | System | 2.5.0 |
| CVE-2024-45492 | Medium | System | 2.5.0 |
| CVE-2024-38809 | Medium | Java | 2.5.0 |
| CVE-2024-38816 | High | Java | 2.5.0 |
| CVE-2024-7254 | High | Java | 2.5.0 |
| CVE-2023-6597 | Medium | System | 2.4.2 |
| CVE-2024-0450 | Medium | System | 2.4.2 |
| CVE-2024-21011 | Medium | System | 2.4.2 |
| CVE-2024-21012 | Medium | System | 2.4.2 |
| CVE-2024-21068 | Medium | System | 2.4.2 |
| CVE-2024-21094 | Medium | System | 2.4.2 |
| CVE-2024-35235 | Medium | System | 2.4.2 |
| CVE-2024-34750 | High | Java | 2.4.2 |
| CVE-2024-33599 | Medium | System | 2.4.1 |
| CVE-2024-33600 | Medium | System | 2.4.1 |
| CVE-2024-33601 | Medium | System | 2.4.1 |
| CVE-2024-33602 | Medium | System | 2.4.1 |
| CVE-2024-34397 | Medium | System | 2.4.1 |
| CVE-2023-33201 | Medium | Java | 2.4.1 |
| CVE-2024-29857 | Medium | Java | 2.4.1 |
| CVE-2024-30171 | Medium | Java | 2.4.1 |
| CVE-2024-30172 | Medium | Java | 2.4.1 |
| CVE-2023-52428 | Java | 2.4.0 | |
| CVE-2023-33201 | Medium | Java | 2.4.0 |
| CVE-2023-33202 | Medium | Java | 2.4.0 |
| CVE-2024-34447 | Java | 2.4.0 |
Non-fixable CVEs¶
In this section, we list the CVEs that are currently classified as non-fixable. These vulnerabilities have been thoroughly assessed, and due to various constraints, have not been resolved.
We continuously monitor these CVEs and work towards finding feasible solutions. Only Medium-priority CVEs are included in this table, as they represent a balanced risk that requires attention but does not pose an immediate critical threat.
| CVE | Priority | Type | Description |
|---|---|---|---|
| CVE-2024-2236 | Medium | System | https://ubuntu.com/security/CVE-2024-26462 |
| CVE-2024-26462 | Medium | System | https://ubuntu.com/security/CVE-2024-26462 |
False positives¶
When scanning our Docker image for vulnerabilities, you might encounter the following false positives:
| CVE | Type | Description |
|---|---|---|
| CVE-2023-37920 | System | https://ubuntu.com/security/CVE-2023-37920 |
| CVE-2024-3651 | System | https://ubuntu.com/security/CVE-2024-3651 |
| CVE-2021-33503 | System | https://ubuntu.com/security/CVE-2021-33503 |
| CVE-2023-43804 | System | https://ubuntu.com/security/CVE-2023-43804 |
| CVE-2023-32681 | System | https://ubuntu.com/security/CVE-2023-32681 |
| CVE-2020-26137 | System | https://ubuntu.com/security/CVE-2020-26137 |
| CVE-2023-45803 | System | https://ubuntu.com/security/CVE-2023-45803 |