You might have been wondering about the increased number of security-related emails in your inbox. Our newly appointed security team has been performing internal code reviews, especially on the build-time tooling, and found a bunch of less-critical vulnerabilities. We are also now a CVE numbering authority and communicate the vulnerabilities a bit differently.
As a 20-year veteran in the OSS community, Vaadin has always played a role in pushing the community forward and sharing our knowledge with researchers worldwide. You can find a list of vulnerability reports and details for reporting a potential security flaw on the Vaadin Security page.
What has changed?
These updates form a part of our 20-year-long process of providing stability and security for your business web applications.
The main thing that has changed is the way we communicate vulnerabilities. Previously, security issues were discovered and fixed as a part of the normal development process, but the presence of those issues wasn't communicated. Now, this has changed and a security advisory is disseminated via vaadin.com/security for every issue that might be used as a part of a cyberattack.
This means that we now send more emails to our customers about security vulnerabilities and the questions that may arise concerning their severity. Our vulnerability-handling processes comply with ISO/IEC 30111 and ISO/IEC 29147 standards.
Unpatched vulnerabilities in third-party code also present a significant threat to the software supply chain. Malicious actors can use vulnerabilities discovered by security researchers in open-source code to attack any application that relies on that code. This poses a significant risk, as 99% of organizations use some open-source code in their software, and 91% of codebases have components that are out of date or that have not seen developer attention in years.
Although the recent surge in security emails may be alarming, the bottom line is that we thoroughly investigate all possible security issues and communicate all of them to our customers, so that they are aware of them and can update their dependencies on time.
What is CVE?
Vaadin was recently accepted as a Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA). Membership in this program will help us streamline vulnerability-disclosure processes and improve our communication with security stakeholders.
The CVE program authorizes companies with CNA status to issue a CVE identification for vulnerabilities within the scope of their products. These CVE IDs are then provided to researchers, vulnerability-disclosure authorities and information technology vendors, facilitating effective and transparent discourse on security vulnerabilities.
Security researchers can now work on CVEs directly with Vaadin. We will also have access to several CVE-compatible databases, enabling us to work in unison with other companies against attackers and improve cybersecurity in the industry.
About the CVE program
The CVE program was launched in 1999 by the not-for-profit MITRE Corporation. Today, there are 166 technology organizations from 27 countries participating as CNAs, in addition to numerous global stakeholders that maintain an open data registry of vulnerabilities. Participation is voluntary, and Vaadin is the second Finnish company to join the program.
You can find the full list of CNAs and request their CVE IDs on the CVE webpage.
New Vaadin security emails
Committed to transparent messaging, our new security emails follow a rating based on the Common Vulnerability Scoring System (CVSS), where a base score of 1.0 to 3.9 indicates Low Severity, and 7.0+ a High-Severity rating. You can read more about the assessment on the CVSS web page.
The emails contain information about the severity, affected products, and procedures to counter the vulnerabilities. These emails are sent to registered users and the full reports are published on the security page.
Register now to receive these security notifications to your inbox.
Figure 1. Low-severity email banner from 1.0 to 3.9.
Figure 1. Hgh-severity email banner from 7+.
New Vaadin documentation site
Our new and improved Vaadin documentation includes a comprehensive section on Vaadin security details. Everything can be found there, from the application architecture and our internal practices to contributing and reporting, and a list of common false positives.
We have also expanded our documentation site with new tutorials and code examples. This also contains an area related to security, such as creating a login view to authenticate users of your application. You can also watch the video tutorial, if you prefer.
Have you found a potential vulnerability? Go to vaadin.com/security to report it or to view the previous reports.