We follow the standardized Common Vulnerability Scoring System (CVSS). CVSS is the most widely recognised vulnerability scoring framework used by governments and orgnizations worldwide.
Whenever a security vulnerability is discovered in Kayako, we use the CVSS framework to calculate its impact score. We map these to the following severity levels:
|CVSS score||Severity level||Example case|
|0 - 2.9||Low||Very unlikely to cause any significant disruption to a helpdesk.|
|3 - 5.9||Medium||May provide limited access, disruption of service, usually requires elevated privileges of some kind.|
|6.0 - 7.9||High||Risk of data compromise, the exploit is not readily available to attackers and may be difficult to execute.|
|8.0 - 10.0||Critical||Full compromise of servers, infrastructure or data, the exploit is readily available to attackers.|
Our fix and patch procedure
Kayako OnDemand customers will be patched and secured against any known vulnerabilities in accordance with their severity level, without any action on their part. For Kayako Download customers who will need to patch their own desk, this document sets out when and what kind of patches and releases will be made available.
When a critical vulnerability is verified, we will fix it and release a security advisory. This includes:
- Release an immediate update which includes the fix
- Release a patch with the fix for the currently available release
- Release patches for previous releases
How many previous releases will be patched
We will release patches either back to the previous non-maintenance release, or for all releases within the last 6 months, whichever is sooner. If we can create patches even earlier than this without causing complications, we will do so.
For example, if the current version is Kayako 4.60 and the previous non-maintenance release was 4.50, we will release a new update Kayako 4.60.1 and patches for Kayako 4.53, 4.52, 4.51 and 4.50. If you are using a release older than Kayako 4.50 (for example, 4.42), you would need to perform a full update to Kayako 4.60.1 in order to secure your helpdesk.
When a high, medium or low vulnerability is verified, we will fix it in the next regularly scheduled release. For example, if the current version is Kayako 4.60, we will include the fix in the next release 4.61.
Responsible disclosure and reporting
Security is one of our highest priorities. We are committed to delivering a secure and reliable helpdesk service to our thousands of customers and their own customers.
We therefore appreciate researchers who disclose vulnerabilities responsibly. A responsible discloser:
- Does not test security vulnerabilities in a way that will impact our service or compromise our customers' data
- Does not attempt to access, copy or share any information that does not belong to them
- If they wish to test, will do so using their own test Kayako installation or account
- Does not publicly disclose details of the vulnerability until we confirm that you can do so (to allow a reasonable amount of time to pass for our customers to update)
To report a vulnerability to us, submit a support ticket and include details of the vulnerability and a test case.
Our team will drop everything to verify and assess the vulnerability and keep you in the loop.
Hall of Fame
We would like to say a thank you to the following responsible disclosers or those who have otherwise contributed to the security of Kayako:
- Our friends at Atlassian (who came up with the CVSS to severity mappings we adopted)
- Vlad C. of NetSec Interactive Solutions
- Wong Chieh Yie (@wcypierrenet)
- Kamil Sevi (@kamilsevi)
- Harsha Vardhan Boppana (@hvboppana)
- Jigar Thakkar (@jigarthakkar39)
- Shahee Mirza (@shaheemirza)
- Siddhesh Gawde (@pen3t3r)
- Arvind Singh Shekhawat (@arvindhexor)
- Koutrouss Naddara (@superbade)
- Sunil dadhich (@sunil_dadhich7)
- Shrinivas Fakirpure (@shrinivas_l33t)
- Sabari Selvan of E Hacking News
- Ahmad Ashraff (@yappare)
- Danish Tariq & Noman Ramzan www.danishtariq.net
- Abhijeth D & Lalith R (techfinite.net)
- Simon Bräuer (@redshark1802)
- Nakul Mohan (@Nakul_Mohan_Cia)
- Evan Ricafort http://www.evanricafort.com
- SD_r1z (@SD_r1z)
- Ciaran McNally (@ciaranmak)
- Shubham Sahu (@24shubham02)
- Sahad NK www.hackthecops.blogspot.in
- Waleed Ezz Eldin (WIBF)
- Mohammed Abdulqader Al-saggaf https://www.facebook.com/mohammed.alsaggaf2010
- Mohamed M.Fouad (@flash162011)
- Omer Iqbal (@omiqbu)
- Blessen Thomas (@pentagramz)
- Jesse Clark http://blackdoorsec.blogspot.in
- Muhammad Osama
- Vignesh Chandrasekaran https://in.linkedin.com/in/vignesh-c-76539854
If you are the first one to report a particular vulnerability, we would like to include you in our hall of fame list below. To be added, provide your name, Twitter handle or website address. If you have discovered a non-trivial vulnerability in a Kayako product (Kayako software, OnDemand infrastructure or my.kayako.com), include your shipping address we'll send some goodies your way too.