Dear PeopleFluent Customers and Partners
PeopleFluent recognizes that many of our clients want to verify that their SaaS service is running the latest patches and addresses many specific CVEs. While we appreciate it when clients make us aware of specific concerns they may see, we are actively engaged with frequent scans of our products and track published CVEs. As part of our Saas offering to you, we understand it is our responsibility to secure our products and have policies and procedures in place to address vulnerability concerns.
The majority of the reports submitted to us are based on 'surface scans' that often utilize a version string as returned by components used in our SaaS solutions. It is important to note that a version string does not reflect an active vulnerability. Assessing the SaaS service based on the interpretation of a version string will not necessarily reflect any vulnerabilities in our SaaS products and often creates greater concern and misunderstanding.
PeopleFluent utilizes Windows systems and Linux derivatives of modern, well maintained operating systems which regularly receive patches from reputable "upstream" OS vendors. In many cases, these OS' receive patches as a 'back-port' from newer component releases that we utilize and therefore often have the same code fix but do not get reflected as being fixed by looking at the component version string. For most routine updates, we evaluate and apply patches to the OS and its software components as they are provided to us as part of our monthly maintenance windows. The team has in the recent past announced emergency maintenance to address things we do not feel should wait for our standard maintenance window. We will continue to evaluate and deploy patches in this manner.
The security team also evaluates and often mitigates vulnerabilities if we feel a risk is significant and the chance of exploitation is present in our environments. Mitigations are kept in place until such time that a patch or code fix is released by our upstream vendors.
Vulnerabilities that exist in code developed by LTG (PeopleFluent) undergo triage and are looked at by our engineering and security teams and patch releases to our code are made, tested, and deployed based on the timeframes outlined in our vulnerability and patch policies.
The team is unable to respond to each and every CVE report that is published, however we undergo annual audits that attest to our capabilities and adherence to our comprehensive policies and procedures that regulate our SaaS environments. Copies of our annual SOC 2 Type 2 and ISO 27001 reports are available from your PeopleFluent customer teams and demonstrate third party confirmation of our adherence to our policies which is built on a framework of industry standard vulnerability practices and protections. Our products also undergo vulnerability testing as part of our major version release process and are independently evaluated on a regular basis as part of our third-party PEN testing efforts.
For products that are not part of a PeopleFluent run SaaS operation, PeopleFluent reviews and remediates CVEs within a limited scope:
1) The PF engineering teams evaluate vulnerabilities found in components used to generate our software releases and remediate them in alignment with our engineering vulnerability policy which takes into account the severity of the CVE and our release schedule, adjusting that release period as necessary.
2) For components that are not built into the product but that are necessary for system operation (for instance Apache HTTP server or Tomcat server,) our release documentation lists the major versions of components that we have done testing with, and which can be used. The choice of component major version installed is up to the on-premise installation and we cannot comment on the CVE or remediation on how that component is installed or patched in that environment. As most of these third-party products maintain backward compatibility within the major release branch, we encourage customers to evaluate the release of these components and apply fixes as released by their development teams.
We appreciate your understanding of how we handle CVE reports and appreciate your partnership as we continue to look out for the security of all our systems and software.