Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Security/Vulnerability FAQ

            Created by Steve Place, Modified on Mon, Sep 15 at 1:59 PM by Steve Place

            Can I see what documents you have proving the product is secure?


            If you're an enterprise customer, open a support ticket and we would be happy to send you our SOC 2 report, information security policy, and security architecture. If you'd like, we can also generate a Software Bill of Materials that will be emailed to you separately.


            Do you do Pen Testing (Penetration Testing)?


            Yes. We do this once a year, and testing covers the entire Stardog platform, as built and run in an enterprise configuration with Stardog Cloud. Any vulnerabilities are turned into tickets in our release process.



            Security vulnerabilities


            Do you disclose security vulnerabilities in the product prior to fixes appearing in release notes?


            Yes.


            Your image scan shows ‘critical’ CVEs in the base OS. Why aren’t you releasing weekly rebuilds?


            We rebuild and scan our images on a regular cadence and accelerate updates when a vulnerability is actually exploitable in our runtime (for example, remotely, without user interaction, and without prior privileges). CVSS is a measure of severity, not risk; risk depends on exploit preconditions in your environment. We also harden runtime settings (non-root, dropped capabilities, seccomp) to constrain blast radius. Finally, many enterprise distros backport fixes without bumping upstream versions, which can cause scanners to show false positives even when a package is patched. If your tooling consumes vendor security data/OVAL feeds, it will reflect those backports accurately.


            How do you handle image vulnerabilities?


            We use container-specific vulnerability management (as recommended by NIST 800-190): scanning and policy “quality gates” in CI, trusted/minimal bases, and regular base refreshes. We don’t ship images that don’t meet policy.


            What should I do with my scanner results?


            Prioritize issues that are remotely exploitable in your environment (look at CVSS Attack Vector/Privileges Required/User Interaction), verify backport status with your distro, and focus on reducing attack surface and privileges for your deployments. We’re happy to review findings with you.



            I have a question not covered here.


            Email security@stardog.com or privacy-office@stardog.com.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0