Entropy Data

Vulnerability Handling

According to our System Security Policy, we use Vulnerability Monitoring Tools to regularly monitor and scan our systems and hosted applications for vulnerabilities. Vulnerability scanning must occur continuously, and scans must be initiated whenever new vulnerabilities that may affect the system are identified or reported by vendors or security advisories.

Monitoring of Vulnerabilities

We use these tools to identify and monitor vulnerabilities:

  • Dependabot alerts to identify vulnerabilities in code
  • Docker Scout to monitor vulnerabilities in container images

At build time, we also create a Software Bill of Material (SBOM) and attach it to our container builds to enable customers to scan for vulnerabilities.

Remediation of Vulnerabilities

Based on the risk level and applicability of the reported vulnerabilities, we act immediately or plan to upgrade to a fixed version within 30 days.

We currently have this strategy to remediate vulnerabilities:

  • Base-Image: To build and run container images, we use the officially supported Debian version that comes bundled with the BellSoft Liberica Java JRE LTS (bellsoft/liberica-openjre-debian). In the Docker Buildfile, we pin the major version so that bugfix versions get updated automatically.
  • Java-Libraries: We use GitHub Dependabot to automatically create pull requests when an upgraded version is available. We aim to go with the latest stable version of libraries. Pull requests are typically merged within 7 days.

We are aware that container images and libraries constantly have a few open CVEs, and we accept this risk. We trust in the Debian community and BellSoft to work on providing bug fixes as needed.

In addition, we have subscribed to relevant mailing lists and newsletters to be informed when severe vulnerabilities become public.

We recommend setting up an automated SBOM monitoring for deployed versions of the self-hosted Docker container image and upgrading to the latest available version to address severe security issues in the base image or in Java libraries.