Vulnerability Management Summary

Release Methodology

Silverfort follows CISA recommendations for mitigation of vulnerabilities found, after carefully assessing and risk-scoring using CVSS 3.1. Our standard sprints occur tri-weekly and are released to our customer portal for client download in monthly releases. If criticality warrants, Silverfort will release on an expidited basis.

Generally speaking, the following SLAs are in place related to addressing vulnerabilities:

  • Critical (CVSS >9): SLA 15 days (ASAP)

  • High (CVSS 7-9): SLA 30 days

  • Medium (CVSS 4-7): SLA 90-180 Days1

  • Low (CVSS < 4.0): As needed1

Advanced Tools and Services

Silverfort employs a wide variety of tools and services to ensure vulnerabilities are detected and mitigated. These include:

  • Dynamic and static code scanning

  • Vulnerability scanning with exploit testing

  • Input and output validation

  • Internal and external vulnerability assessments using leading industry experts and tools

Vulnerability Disclosure

To protect Silverfort and its clients, Silverfort never publicly releases details on vulnerabilities, even those closed and addressed. Rather, Silverfort provides attestations by our CISO as well as summary-level test results to ensure customers are provided with sufficient confirmation of the tests and resolution of found issues.

Testing Cadence

Internal assessments are continuous, to include assessment prior to major product releases. We also perform periodically advanced security assessments using outside firms.

Summary of Last External Vulnerability Assessment

In November 2022, Silverfort performed external security testing on version 4 of our product. This testing was done by BDO Cyber Security Center, a respected firm. This testing was Grey-Box testing against the product ecosystem. Grey-Box testing incorporates both White-box and Black-box testing and includes providing the testers with some knowledge of the internal structure, design, and function of the system.

In that test, with some the firm identified two (2) medium and six (6) low issues. These issues did not represent a significant threat to our product, but rather, were more hygiene-related vulnerabilities. Silverfort’s CISO, CTO, and VP R&D were all involved in the analysis and risk evaluation in conjunction with our external partners.

Corrective actions were taken in place to close all eight (8) issues and BDO confirmed closure in their retest during January 2023.

To quote the retest summary by BDO, "The Grey-Box application testing of Silverfort Identity Protection Platform found no high-risk vulnerabilities. Other findings were addressed and remediated as part of this process and verified by BDO with no outstanding findings."

1Medium and Low vulnerabilites are patched or mitigated based on their risk scoring and exploitability, specific to Silverfort’s product and operating environment.

Silverfort.com

Internet Security
Silverfort maintains both ISO27001 and SSAE SOC2 Type 2 audit certifications, as do our hosting facilities.

Network Protection
Silverfort’s technology is deployed on-premise and protected by our clients' security ecosystem and personnel. Our optional mobile messaging and SaaS components are protected by Microsoft Azure security features and services, including web application firewalls.

Industry Expertise
Silverfort’s CISO and security personnel have decades of experience protecting organizations and contributing to the global security of some of the largest firms in the world. Our threat researchers are world-renowned and often contribute to community research articles on emerging threats and vulnerabilities.

Training
All employees at Silverfort participate in ongoing training and education. Our developers are trained regularly on SANS and OWASP coding practices.

KEY BENEFITS

Vulnerability Management Summary

Summary of Last External Vulnerability Assessment

In November 2022, Silverfort performed external security testing on version 4 of our product. This testing was done by BDO Cyber Security Center, a respected firm. This testing was Grey-Box testing against the product ecosystem. Grey-Box testing incorporates both White-box and Black-box testing and includes providing the testers with some knowledge of the internal structure, design, and function of the system.

In that test, with some the firm identified two (2) medium and six (6) low issues. These issues did not represent a significant threat to our product, but rather, were more hygiene-related vulnerabilities. Silverfort’s CISO, CTO, and VP R&D were all involved in the analysis and risk evaluation in conjunction with our external partners.

Corrective actions were taken in place to close all eight (8) issues and BDO confirmed closure in their retest during January 2023.

To quote the retest summary by BDO, "The Grey-Box application testing of Silverfort Identity Protection Platform found no high-risk vulnerabilities. Other findings were addressed and remediated as part of this process and verified by BDO with no outstanding findings."

1Medium and Low vulnerabilites are patched or mitigated based on their risk scoring and exploitability, specific to Silverfort’s product and operating environment.

Silverfort.com

Release Methodology

Silverfort follows CISA recommendations for mitigation of vulnerabilities found, after carefully assessing and risk-scoring using CVSS 3.1. Our standard sprints occur tri-weekly and are released to our customer portal for client download in monthly releases. If criticality warrants, Silverfort will release on an expidited basis.

Generally speaking, the following SLAs are in place related to addressing vulnerabilities:

  • Critical (CVSS >9): SLA 15 days (ASAP)

  • High (CVSS 7-9): SLA 30 days

  • Medium (CVSS 4-7): SLA 90-180 Days1

  • Low (CVSS < 4.0): As needed1

Advanced Tools and Services

Silverfort employs a wide variety of tools and services to ensure vulnerabilities are detected and mitigated. These include:

  • Dynamic and static code scanning

  • Vulnerability scanning with exploit testing

  • Input and output validation

  • Internal and external vulnerability assessments using leading industry experts and tools

Vulnerability Disclosure

To protect Silverfort and its clients, Silverfort never publicly releases details on vulnerabilities, even those closed and addressed. Rather, Silverfort provides attestations by our CISO as well as summary-level test results to ensure customers are provided with sufficient confirmation of the tests and resolution of found issues.

Testing Cadence

Internal assessments are continuous, to include assessment prior to major product releases. We also perform periodically advanced security assessments using outside firms.

Internet Security
Silverfort maintains both ISO27001 and SSAE SOC2 Type 2 audit certifications, as do our hosting facilities.

Network Protection
Silverfort’s technology is deployed on-premise and protected by our clients' security ecosystem and personnel. Our optional mobile messaging and SaaS components are protected by Microsoft Azure security features and services, including web application firewalls.

Industry Expertise
Silverfort’s CISO and security personnel have decades of experience protecting organizations and contributing to the global security of some of the largest firms in the world. Our threat researchers are world-renowned and often contribute to community research articles on emerging threats and vulnerabilities.

Training
All employees at Silverfort participate in ongoing training and education. Our developers are trained regularly on SANS and OWASP coding practices.

KEY BENEFITS