Communication des vulnérabilités

At Constellio, the security of your data is our top priority. We adhere to best security practices, in line with the standards of the OWASP (Open Web Application Security Project) and the guidelines established by Google Project Zero.

Our process aims to inform you quickly and efficiently if a vulnerability is detected. Our dedicated team intervenes immediately to assess and resolve any potential problem. Here's how we do it:

1. Each vulnerability is evaluated according to the CVSS (Common Vulnerability Scoring System), an industry standard you can consult here.
2. We'll let you know the type of vulnerability detected (e.g. Cross-Site Scripting, DDOS) and the versions affected.
3. We will specify which corrected versions are available and, if possible, other measures to be taken to reduce risks while waiting for the update.
4. A more comprehensive report will be available at a later date, allowing you to fully understand the impact and solutions provided.

To protect all our customers, especially those using on-premise platforms, we wait a minimum of 30 days before disclosing full details. This allows for staggered updates and ensures maximum protection.

We encourage you to regularly monitor security announcements and update your systems as soon as a new version is available. If you have any questions or require assistance, please contact our support team at support@constellio.com.

We are resolutely committed to maintaining a high level of security to guarantee the confidentiality and integrity of your data. Thank you for your trust and continued collaboration.