Digi Remote Manager Vulnerability Patch Policy

Objective

This policy is intended to describe Digi’s standards for responding to known potential security vulnerabilities in Digi Remote Manager’s cloud version, and doesn’t apply to the on-premise version. It defines Digi’s policy for communicating potential vulnerabilities and delivering resolutions to customers.

Scope

This policy specifically covers security vulnerabilities in Digi Remote Manager. We define a security vulnerability as an unintentional weakness or flaw within the software that has the potential to be exploited, by a threat agent, in order to compromise a customer’s network.

This policy does not cover general support and resolution process for non-security related defects. For further information on general support policies, please refer to Support & Helpdesk Ops.

Audience

This policy is for the use of Digi partners and customers.

Introduction

Digi Remote Manager is designed to configure, deploy and monitor assets securely on customer networks. Our product includes many security functions such as: RBAC, secure provisioning, security policies(CIDR block ranges for web access etc), DUO 2FA capable, SAML, Event log push/pull monitoring, and alerts using configuration manager. All operations are API programmable so that device configuration, logs or behavior can easily be monitored by custom solutions.

Digi welcomes the transparent reporting of vulnerabilities and is committed to resolving them in a timely manner. In addition to reporting by users, Digi actively searches for vulnerabilities through internal testing, static/dynamic code analysis, internal/external penetration testing and assessing new CVEs continously with next generation software composition analysis. The vulnerabilities may be discovered through internal security testing, reported publicly as a Common Vulnerability and Exposure (CVE), or discovered by an independent security assessment, a customer, or another party.

Digi’s policy is to quickly assess the impact of any reported vulnerabilities. When very specific critical vulnerabilities or zero day exploits occur, we may post an advisory to keep our customers informed of impact and patch timelines or mitigations.

Reporting Potential Vulnerabilities

Customer or partners that are experiencing security issues with Digi Remote Manager are encouraged to report the issue as soon as possible through the Digi security form. When reporting a potential vulnerability, please include as much information as possible (including CVE number if available) about the circumstances, a proof of concept if applicable, the potential impact, and your contact information is required so we can communicate along the way during triage.

Assessing Potential Vulnerabilities

Digi uses the Common Vulnerability Scoring System (CVSS 3.0). The determined CVSS score reflects the potential security threat of the vulnerability within the context of Digi product design. Digi’s security and engineering team reserves the right to internally re-classify the CVSS score to determine the likelihood of impact to our products based on implementation. In the event a consumer of Digi goods and services has any query on what determinations are made, a vector string using CVSS V3 of the Digi determined score can be provided for clarification via a support request to Digi support.

Information and Resolution Timelines

The CVSS 3.0 score is used to prioritize and set targets for communication and resolution as follows:

Severity CVSS 3.0 Resolution Target
Critical 9.0–10.0 Patch release within 30 days
High 7.0–8.9 Patch release within 30 days
Major 4.0–6.9 Patch release within 90 days
Minor N/A Future release
No Vulnerability N/A N/A

Resolution of Potential Vulnerabilities>

Digi takes security vulnerabilities seriously and endeavors to make resolution available to customers and partners in line with resolution targets. For all products currently in support (to verify which products are no longer supported) please visit the Digi customer portal for a list of of PCNs and EOL announcements).

For critical vulnerabilities Digi enacts a formal Incident Management Process. This process involves dedicating appropriate resources to the resolution until a fix has been released. The process includes internal communication and escalation procedures to ensure the resolution receives the highest possible priority.

All relevant vulnerabilities are continuously resolved by updates to the Remote Manager service through our software composition analysis technology, unless other information is provided in a Security Advisory.

Receiving Information on Potential Vulnerabilities

Customers and partners can register to receive information on potential vulnerabilities that are in process of being assessed or resolved through the Digi Security Center, and if you want to ensure you get the latest updates by subscribing to the RSS feed.