Acquia takes the safety and security of our platform seriously.
Through investigations of subscriber questions and issues raised through Acquia’s customer Support team, Acquia has discovered there are resources on the internet which present information that can be either misleading or misinterpreted when analyzed outside of an Information Security Program or other similarly-skilled personnel.
Acquia’s Security Engineering team follows an Information Security process which reviews various sources of information, but bases scores primarily on the National Vulnerability Database (NVD) with the Common Vulnerability Scoring System (CVSS) 3.0 scoring. The NVD database is not the full extent of information, but serves as a key in providing the necessary intelligence for keeping Acquia up-to-date and in the best possible security posture.
Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly-known cybersecurity vulnerabilities. CVE is now the industry standard for vulnerability and exposure identifiers. CVE Entries—also called CVEs, CVE IDs, and CVE numbers by the community—provide reference points for data exchange so cybersecurity products and services can speak with each other. CVE entries also provide a baseline for evaluating the coverage of tools and services, so users can determine which tools are most effective and appropriate for their organization’s needs.
Acquia is aware that websites publish different types of information, representing or categorizing the information as vulnerability data or security advisories, when the information is more accurately described as standard release notes, bug fixes, or other errata. When reviewing such data, Acquia recommends cross-examining or fact-checking against the NVD.