Vulnerability and scanning policy

Overview

Collibra supports customer risk management processes by permitting customers to report on application vulnerabilities identified in Collibra’s products or services. At Collibra, the security of our products is paramount and therefore we take the discovery of application vulnerabilities seriously. However, in order to ensure that we can address any security issues in a time-efficient and appropriately prioritized manner, customer reporting on vulnerabilities is permitted only under the specific conditions outlined in this policy.

Important Performing vulnerability scanning of Collibra’s cloud services is not permitted. Application security testing of our products by customers may be undertaken once annually via a request to your account executive, customer success manager, or through the Collibra support portal . Testing conditions, prerequisites, and approval by Collibra applies.

Subject to the following requirements, customers may contact Collibra Customer Support with a list of identified Common Vulnerabilities and Exposures (CVE) findings from application security vulnerability scans and request a review from Collibra. Collibra will also review individual CVEs for application security findings identified outside of vulnerability scanning, provided they meet the requirements of this policy.

When submitting vulnerability security scans or individual CVE findings to Collibra, customers must meet all conditions set forth in this policy.

General conditions

  1. The security vulnerabilities or vulnerability scans submitted to Collibra Support should be for the most recent generally available (GA) release of the applicable software as stated here. This is regardless of the intended version of the Collibra software to be used by a customer in their production environment.
    Note Collibra’s standard practice is to apply security vulnerability fixes as patches to the latest GA version only. Collibra is unable to review reports for non-GA versions.
  2. Collibra Edge is a containerised software application integrated with the Collibra Data Intelligence Platform (CDIP), and deployed within customers’ internal networks, cloud services, or customer-managed third-party Kubernetes environments (K8S). The following specific requirements apply to customer Edge vulnerability scans:
    1. Due to its weekly update schedule,Edge repository vulnerability scans performed by a customer should be submitted as quickly as possible to Collibra. This should be within three business days maximum of being conducted.
    2. Edge vulnerability scans should only be performed on the most recent version of Edge and related images provided by Collibra from its repository, as described and made available to customers here.
    3. Collibra cannot review infrastructure vulnerability scans of customer physical or virtual hosts where they have installed Edge. These scans often list vulnerabilities outside the scope of Edge itself, for example, those within the partial or entire file system of that host. This then produces false positives or findings that are not for Collibra's attention and can impede review. Reports provided in this manner will be rejected.
  3. Vulnerability findings or reports should be submitted through a Collibra Customer Support ticket only. Collibra will respond to the specific, confirmed findings and their statuses on this ticket. The ticket will remain open until Collibra and the customer have concluded the review for the specific findings or scan.
  4. Please ensure any Collibra SLA/resolution dates provided are considered before following up on a specific CVE finding where the SLA date for the applicable CVE has not yet expired.
  5. Specifically for Edge, due to the weekly updates provided on this product, customers should verify the status of any reported vulnerabilities by performing a new vulnerability scan after pulling the most current GA release Edge images.
  6. Collibra cannot notify customers of any change in CVE status but can confirm the status upon inquiry.

Reporting requirements

  1. The name and version of the impacted Collibra product(s) where the vulnerability or CVE(s) were identified must be provided.
  2. For Edge image vulnerability scans, customers must include the version of Edge pulled and scanned (e.g., 202x-0x.x.x). Refer to the instructions here on pulling the most current Edge images. 
  3. If Edge is deployed in a customer's own managed Kubernetes cluster, such as Amazon EKS or Google Kubernetes Engine, indicate which type of service the Edge site is installed on with the submitted report. This will negate the number of Edge containers that are not applicable to a customer's managed Kubernetes environment and reduce the overall number of findings.
  4. Customer vulnerability scan reports can only be accepted in CSV or XLS file format with a single CVE per row. YAML, JSON, unstructured text, PDF, or other formats cannot be reviewed.
  5. Customer vulnerability scan reports or individual findings should exclude any CVE where a fix is indicated as unavailable, or there is a vendor or similar dependency, also meaning a fix is not applicable. Most vulnerability scanning tools provide this level of information. This will aid in reducing the time to respond to any customer findings.

CVE requirements

  1. Collibra is able to review confirmed CVEs recorded on the National Vulnerability Database (NVD) provided they are not in the following states:
    1. "Under assessment"
    2. "In analysis"
    3. "Pending"
    4. Without an assigned CVSS score
  2. Collibra cannot review vendor advisories (e.g. GitHub, RedHat, PRISMA etc.) where no CVE is cited within the advisory. Where one or more CVEs are cited within an advisory, please ensure these are included with each advisory listed in a customer scan report.
  3. The following minimum information must also be present in any customer vulnerability scan report in CSV or XLS format, in order for a review of identified CVE(s) to take place:
    1. CVE reference e.g. CVE-20xx-xxxxx
    2. Image/container name where the CVE was found.
    3. Package/component name within the affected container: e.g: spring-web, curl,ncurses etc. Without any namespace prefix e.g. org.apache.velocity.
    4. Full path to where the issue is seen within the container. e.g: /app/libs/spring-web-5.3.27.jar.
    5. CVE severity (high/low etc.)
    6. Version of affected package/component.
    7. Optional: Summary of issue.
    8. Optional: CVSS v3 base score.
    9. Optional: package/component fix version number.
    10. Optional: “is there a known exploit?”

    See the following example for guidance:

  4. Multiple occurrences of the same CVE against different images/containers or components must be listed on separate rows. Reports where a single package/component is listed in one column and multiple CVEs for that package/component are in another column will be rejected.

Assessment by Collibra

  1. Collibra’s vulnerability management process prioritizes “High” or above ratings recorded against any identified CVEs provided in a scan.
  2. Mitigating or compensating factors are taken into consideration for all reported CVEs when Collibra evaluates vulnerabilities.

  3. Collibra’s practice is to apply security vulnerability fixes as patches to the latest GA version of the applicable product. Backporting security vulnerabilities is against Collibra’s fix-forward practice. Customers are encouraged to keep up with the latest version of our products to benefit from the newest functionality and latest fixes for bugs and security vulnerabilities. Please see Collibra’s supported versions page for more details.