Security Bug Fix Policy

Open Source Consulting Inc. makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in Open Source Consulting Inc. products.


The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.

Security bug fix Service Level Objectives (SLO)

Open Source Consulting Inc. sets service level objectives for fixing security vulnerabilities based on the security severity level and the affected product. We have defined the following timeframes for fixing security issues in our products:

Accelerated Resolution Timeframes

  • Critical severity bugs to be fixed in product within 2 weeks of being verified

  • High severity bugs to be fixed in product within 4 weeks of being verified

  • Medium severity bugs to be fixed in product within 6 weeks of being verified

  • Low severity bugs to be fixed in product within 25 weeks of being verified

Extended Resolution Timeframes

These timeframes apply to all self-managed products of Open Source Consulting Inc.. 

  • Critical, High, and Medium severity bugs to be fixed in product within 90 days of being verified

  • Low severity bugs to be fixed in product within 180 days of being verified

Critical Vulnerabilities

When a Critical security vulnerability is discovered by Open Source Consulting Inc. or reported by a third party, Open Source Consulting Inc. will do all of the following:

  • Issue a new, fixed release for the current version of the affected product as soon as possible.

  • Issue a new maintenance release for a previous version. 

It is important to stay on the latest bug fix release for the version of the product you are using (this is best practice).

The critical vulnerabilities resolution process does not apply to our Cloud products as these services are always fixed by Open Source Consulting Inc. without any additional action from customers.

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, Open Source Consulting Inc. will aim to release a fix within the service level objectives listed at the beginning of this document. The fix may also be backported to Long Term Support releases, if feasible. 

You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.

Other information

Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues.

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page. 

Ready to try out the apps?

Get started with a trial for your business

Need Support? 

Don't struggle with our apps. Our dedicated team is always available 
to help you with any concerns you may have with our products.


Get the inside scoop, previews,
news and other fun stuff.