Jamf Critical Security Issue Patch Policy
Summary
Jamf strives to provide the highest level of security for its customers. Unfortunately, there are occasions where a security vulnerability within a Jamf product codebase is detected. The following policy addresses Jamf's warranty period on patching these security issues across our product line as they occur.
Critical Security Issue Definition
Jamf uses the Common Vulnerability Scoring System (CVSS) to define severity of security issues. This policy applies to any security issue identified as a "Critical" issue on the CVSS scale, having a score of 9.0-10.0
Priority
We are responsible for the infrastructure of thousands of customers. As such, when a critical security vulnerability is discovered within a Jamf product, patching these environments is Jamf's top priority.
Cloud
Within Jamf Cloud, resolution will take place either by creating a new build of the impacted Jamf product and upgrading customers to the latest build in the cloud, or we will patch the current Jamf product in the release.
On-Premises
While we cannot apply the resolution of a security vulnerability to on-premises Jamf customers, we will provide on-premises customers with a version update, or a patch that can be applied to their on-premises environment.
Version Definition
Jamf products utilize the semantic versioning standard. Given a version number (i.e., "1.0.0"), the following definitions apply: MAJOR.MINOR.PATCH
Jamf Version Support
While we'd like to ensure that our customers are always running the latest version of Jamf products, we understand that there are circumstances (i.e., change control procedures, change blackout periods, etc.) that can prevent a customer's ability to run the latest version. With that in mind, in the instance of a critical security vulnerability (CVSS score 9.0-10.0), in addition to patching the latest version of a Jamf product, we will provide a resolution to the security issue if it exists in the previous minor release.
Communication
When a critical security vulnerability is discovered, Jamf will communicate details via the Jamf Nation community, and via an email to the primary technical contact for the account.
Aaron Kiemele
Jamf CISO
