Everything you wanted to know about how wolfSSL support handles vulnerability reports, but were afraid to ask

Sometimes the consumers of the wolfSSL Embedded TLS library are curious about our internal process for handling vulnerability reports.  The first thing our users need to know is that wolfSSL takes every vulnerability report seriously!  We currently maintain a mean time to verification of about 1.5 hours.  Our mean time to achieve a fix is about 12 hours.  As most of our readers know, not all CVE’s are created equally, so our fixes can take anywhere from 24 minutes to 24 hours.

The final statistic we can share is one that we are particularly proud of:  Our mean time between a report and a release over the last 3 years is 38 hours!  We believe this is an industry leading number, and one that we will strive to maintain and even improve!

Break-down of wolfSSL vulnerability response procedures:

#1 – (45 – 120 minutes)

– Support staff de-prioritizes all support to confirm vulnerability exists

– Support staff makes any necessary modifications to provided test code to make it build out-of-the-box for engineering team

– Support staff creates README for engineering team to be able to re-produce in 10 minutes or less

– As soon as validated and tests streamlined alert is sent to engineering team along with report and test case

#2 – (20 minutes – 1 day)

– Engineering team fixes the issue and opens a pull request

– Multiple engineers review fix

#3 – (1 hour)

– Jenkins automated integration server tests fix

#4 – (1 hour)

– Senior Engineer reviews Jenkins results and suggested fix

#5 – (N/A)

– repeat steps #2 – #4 as necessary

#6 – (N/A)

– Fix is merged

#7 (1 day)

– Release process started

– New GPL licensed release posted to website

– Commercial Releases sent to customers