Information security is of utmost priority to Actian. In an ongoing effort to ensure that our customer’s are effectively informed of Security Vulnerabilities, that may impact your Actian implementations, we have worked to develop a more clear and concise means of posting appropriate announcements, automatic notifications, and provide a resource for reporting of any identified vulnerabilities.
Open Source and Security – Industry News
Further details about industry items directly related to open source and security.
- Security clearance hinders OS in Government - Ingres exception
- Open Source Security Best Practices
- Open source and the 'fear factor' mentality
- Securing Your Database - Top 10 Tips for Government Organizations
- Ingres Attacks Open Source Security Myth
- Open Source Database Security
Security – Resources
Actian takes security issues very seriously and works to quickly acknowledge and resolve any identified issues uncovered within the products. As part of ensuring that we respond to any identified security vulnerabilities we have implemented a reporting mechanism into the organization that will ensure that any issues found in the products are addressed immediately.
Please report any occurrences of security vulnerabilities to the Actian Security Response Center, firstname.lastname@example.org
As part of notifying Actian of any potential security vulnerability please provide as much as information as possible.
Do not report any general technical assistance requests, upgrading to current patch levels, or other non-security related inquires to the above email address. These requests should be made through normal support channels if you are a licensed customer at http://supportservices.actian.com/support-services.
When emails are received to the above mailing list this alerts a team of designated individuals within Actian that will immediately act. We will investigate and verify the report, determine the impact, and identify actions that need to be taken.
When the new security vulnerability is reported Actian will do the following:
- Email communication read and a personal response acknowledging the report within 1 business day
- New internal issue will be opened and will be formally escalated as ‘Internal Critical’ and impact description set to ‘Security Vulnerability’
- Assessment of impact will be completed and categorized as; low, medium, or critical and priority updated accordingly
- Keep you informed as investigations and progress is made towards resolution
We want to partner with you when it comes to any issues related to security vulnerabilities within any of the Actian products. As a result, we will keep all information you share with the Actian Response Center confidential within Actian, if it is not already public knowledge. We will not share the information with any third parties without your agreement. We expect that you also treat communications from us the same, and inform us if you communicate any details of the issue to any other party.
Credit for Reporting Vulnerabilities:
Actian values all participants in our community that identify, uncover, and bring potential security vulnerabilities within our products to our attention. Actian will work with all parties to ensure that any reports are appropriately fixed, and reported on in appropriate timeframe's.
Actian will acknowledge and provide credit to those parties that follow defined disclosure processes within the industry, including;
- Not publishing the security vulnerability prior to Actian releasing an appropriate fix
- Not divulging details of the exploitation through direct examples and/or through code examples
Actian provides information on security vulnerabilities that affect Actian products in the form of formal security disclosures. Announcements for any affected Actian products are published to the Actian Security Vulnerability mailing list, VIP mailing list, OpenROAD mailing list, DBA Forums, ‘comps.database.ingres’ group, and Actian Service Desk the 24X7 online product support application for all Actian products.
For each Security Vulnerability identified we will supply details of the issue(s) being fixed as well as how to obtain and install the required patches and/or service packs.
In order to facilitate companies in determining an appropriate course of action the announcement will assess the importance of the security vulnerability including; brief explanation of the vulnerability, affected versions, platforms, and overall impact.
Announcement of Security Fixes:
It is Actian’s policy not to announce security fixes until they are all available for all affected and supported product version and platform combinations. An unannounced vulnerability fix can be included in provided patch updates when some, but not all parts of the vulnerability are fixed, or because the fix is available on some, but not all version-platform combinations of a product. Actian will only formally disclose, along with identifying acknowledged advisors, after fixes are available for all version and platform combinations.
Register for Announcements:
All users of the Customer Portal will automatically receive security announcements. If you are not already registered you can register here.
Where a new public security vulnerability is identified official vendor statements will be provided at the National Vulnerability Database and can be found by searching by the supplied CVE number.
2016High - "Actian DataFlow Security Vulnerability Announcement" as of May 17, 2016
Low - "Actian Ingres, Vector and VectorH Security Vulnerability Announcement" as of May 2, 2016
Low - "Actian PSQL Security Vulnerability Announcement" as of April 7, 2016
2015High - "Actian DataFlow Security Vulnerability Announcement" as of September 2, 2015
High - "Actian Matrix Security Vulnerability Announcement" as of May 22, 2015
Low - "Actian Matrix Security Vulnerability Announcement" as of May 14, 2015
2014 and priorLow - "Heartbleed Vulnerability Actian Support: Heartbleed – Don’t Worry" as of April 18, 2014
Low - "Heartbleed Vulnerability A message from the CIO" as of April 18, 2014
Low - "Actian Ingres Security Vulnerability Announcement" as of August 30, 2011
Medium - "Actian Ingres Security Vulnerability Announcement" as of February 26, 2010