We have Kendo UI Professional lincese. With various security audits within our company, question has been raised regarding potential security vulnerabilities in third party libraries.
Our question is how Kendo UI team manages security findings in the code? In other words, what is the reporting (to the customers) and response process for security vulnerability findings?
6 Answers, 1 is accepted
Hello Sujit,
By way of introduction, my name is Stefan Rahnev and I'm Product Manager for Kendo UI here at Telerik.
The code base for our product is built with security in mind, and any potential security vulnerabilities we discover are investigated and addressed promptly. Having said that, we take any legit security vulnerability issue reports from clients very seriously, do our own validation and if confirmed, follow an incremental process to eliminate them in following product versions.
Although we don't have a specialized notification system or a regular security bulletin enabled, we notify any affected parties when certain security-related issues are fixed by our team.
I hope this information provides the details you inquired about.
Kind regards,
Stefan Rahnev,
Product Manager, Kendo UI
Telerik
Regards,
Stefan Rahnev,
Product Manager, Kendo UI
Telerik
I am sorry Stefan, I think I did not do a good job asking what I am looking for. Let me give it a one more try. Let's start with what I understood so far -
1. For any security vulnerability finding, whether it is coming from customers or found internally, Kendo UI team does validate and confirms it with thourough investigation.
2. When security vulnerability is fixed/addressed, Kendo UI team notifies all affected parties including customers.
3. Kendo UI team does not have a specialized notification system or a regular security bulletin enabled.
4. Fixes related to potential security vulnerabilities can be tracked via Kendo UI official release history logs.
Now what I am not clear on is that after #1 (security vulnerability is validated and confirmed) and before #2 (security vulnerability addressed/fixed and customers are notified), does Kendo UI team notifies all affected parties including customers that we have confirmed security vulnerability in particular release and it will be addressed in next release?
My name is Tsvetomir and I'm part of the Kendo UI team. I'll try to address your questions below.
Your understanding is correct on all four points.
As for your question, currently we do not notify customers of security bugs that are not yet fixed.
I'm not sure what would be the right approach here.
Disclosing details about exploitable vulnerabilities before actually fixing them will just extend the window of vulnerability.
That said, security issues are a rare occurrence and usually can be traced down to a particular user setup.
The framework is passive for the most part and needs a specific configuration to issue requests, output data and so on.
For example, using a template that does not escape HTML "#= dataItem.evil " vs a one that does - "#: dataItem.evil #".
I hope this helps.
Regards,
T. Tsonev
Telerik