Security is a key component of cloud computing. Digital lab notebooks and online data processing services must have strong and reliable security features to guarantee maximum protection for raw data. In doing so, data quality and safety of research is ensured.
Scientific research is governed by a number of regulations and policies at the local, state or federal levels. Our tools are appropriate for compliant working environments using general guidelines and responsible research practices.
The integrity of research data is essential for advancing scientific, engineering and medical knowledge. Our products provide dedicated audit trails allowing users to see who has done what and when.
For our customers, we try to keep it simple and transparent:
We believe in Coordinated Vulnerability Disclosure (CVD) as proven industry best practice to address security vulnerabilities. Through a partnership between security researchers and vendors, CVD ensures vulnerabilities are addressed prior to being made public. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.
Security researchers who would like to inform us of a potential vulnerability can contact us at firstname.lastname@example.org.
Classification of Severity and Exploitability
Since most of our customers and users do not come from a software background, it is important for us that we use easy-to-understand and transparent language instead of technical jargon. Therefore, our classification system is heavily inspired by Microsoft’s practices, as we believe they have done a great job at striking the right balance.
What is the worst theoretical outcome?
|Critical||A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email. Labforward recommends that customers apply Critical updates immediately.|
|Important||A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt’s provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered. Labforward recommends that customers apply Important updates at the earliest opportunity.|
|Moderate||Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. Labforward recommends that customers apply Moderate updates at the earliest opportunity.|
|Low||Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Labforward recommends that customers evaluate whether to apply the security update to the affected systems.|
What is the likelihood that a vulnerability addressed in a security update will be exploited?
|Exploitation Detected||Labforward is aware of an instance of this vulnerability being exploited. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with the highest priority.|
|Exploitation More Likely||Labforward analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Labforward is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority.|
|Exploitation Less Likely||Labforward analysis has shown that while exploit code could be created, an attacker would likely have difficulty creating the code, requiring expertise and/or sophisticated timing, and/or varied results when targeting the affected product. Moreover, Labforward has not recently observed a trend of this type of vulnerability being actively exploited in the wild. This makes it a less attractive target for attackers. That said, customers who reviewed the security update and determined its applicability within their environment should still treat this as a material update. If they are prioritizing against other highly exploitable vulnerabilities, they could rank this lower in their deployment priority.|
|Exploitation Unlikely||Labforward analysis shows that successfully functioning exploit code is unlikely to be utilized in real attacks. This means that while it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, the full impact of exploitation will be more limited. Moreover, Labforward has not observed instances of this type of vulnerability being actively exploited in the past. Thus, the actual risk of being exploited from this vulnerability is significantly lower. Therefore, customers who have reviewed the security update to determine its applicability within their environment could prioritize this update below other vulnerabilities within a release.|