I can see that a similar question is posted earlier here, however, I would like to have more details on Aspose vulnerability management regime. Specifically, the following:
How often do you test Aspose.Total for .NET for security vulnerabilities?
What are your vulnerability remediation timeframes?
How do you notify the customers about security vulnerabilities and subsequently fixes?
Do you have any process/channel for the customers to report security vulnerabilities/issues?
We are an Aspose customer and as such, we would prefer to have a formal response to these questions along with any supporting documentation e.g., vulnerability management process, assessment report, etc.
Please note, Aspose for .NET APIs are safe and do not expose any vulnerability. We scan and test our products for every possible vulnerabilities from time to time. These reports are generated by our teams for the internal audit and reviews, there is no fixed timeframe for internal testing and audits. Moreover, (if in any case) we found any vulnerability in any API, we fix/remove it on the spot immediately. We do not notify users about it. Moreover, we do not share the original scans/results with the users as it is proprietary data or internal module(s) and we cannot share with the clients.
We recommend you to kindly try using latest versions of Aspose (.NET) APIs and you won’t find any vulnerability and security issues.
@amjad.sahi thanks for the feedback. However, I would like to understand why customers are not notified of vulnerability fixes. It is not always required to use the latest versions of packages unless any functionality or security issues need a fix. In the case of Aspose, I believe it is not the best approach to ask customers to always update to the latest version without disclosing the reasons.
Also, I want to understand if we detect a security vulnerability in Aspose and report it to you, what would be the timeframe to remediate it?
As we told you we do not share the original tests/scans with the users being proprietary or internal data. In some cases, we can share resultant reports for some APIs. We recommend latest versions because latest APIs are already scanned for possible vulnerabilities.
If find any vulnerability or security issue in any Aspose .NET API, kindly report us with details and samples. We will check and fix it asap.