Monitoring for vulnerabilities(监控漏洞)¶
Vulnerability Management¶
Palantir maintains an aggressive vulnerability management program and corresponding service level agreements (SLAs) for patching. This program includes vulnerabilities in our software products and in underlying infrastructure.
Palantir Security Bulletins¶
Palantir maintains and publicly releases security bulletins ↗ related to security issues we have identified in our supported software products. Where possible, common vulnerabilities and disclosures (CVEs) are also issued.
These security bulletins include a summary of the issue, background context including scope and impact, remediation steps, and a timeline.
We endeavor to publicly disclose issues no more than 30 days after an issue has been identified, fixed, and communicated to our customers. We reserve the right to delay this disclosure deadline as needed for information security or other purposes.
If you are a Palantir customer, you will be provided private, embargoed security bulletins as part of our vulnerability management process. These may be forwarded to you via automated means, or by your Palantir representative.
We encourage all customers to subscribe to our Safebase site ↗ to be alerted when new security bulletins are made public.
Vulnerabilities in User-authored Code¶
One of the features of Palantir Foundry is for users to author arbitrary code. This code can import or rely on software packages, including those that may contain known security vulnerabilities.
Palantir will provide patched and updated versions of common software packages and bundles. However, automatically migrating user-authored code to these newer versions may break pipelines or integrations. Additionally, we cannot account for updating and managing all versions of all software used by Foundry users.
As such, it is a customer responsibility to manage the software versions present in dependencies and packages that are used in the authoring by your users. In extreme circumstances, Palantir may push breaking package upgrades to mitigate critical security issues (e.g. log4j) without notice or warning.
中文翻译¶
监控漏洞¶
漏洞管理¶
Palantir 维护着一套积极的漏洞管理计划及相应的修补服务等级协议(SLA)。该计划涵盖我们软件产品及底层基础设施中的漏洞。
Palantir 安全公告¶
Palantir 维护并公开发布安全公告 ↗,内容涉及我们在受支持软件产品中发现的安全问题。在可能的情况下,我们也会发布通用漏洞披露(CVE)。
这些安全公告包含问题摘要、背景信息(包括影响范围和影响程度)、修复步骤以及时间线。
我们致力于在问题被发现、修复并告知客户后的30天内公开披露。为保障信息安全或其他目的,我们保留推迟披露截止日期的权利。
如果您是 Palantir 客户,您将作为漏洞管理流程的一部分收到私密且受禁的安全公告。这些公告可能通过自动化方式或您的 Palantir 代表转发给您。
我们鼓励所有客户订阅我们的Safebase 网站 ↗,以便在新安全公告公开发布时及时收到通知。
用户编写代码中的漏洞¶
Palantir Foundry 的功能之一是允许用户编写任意代码。这些代码可能导入或依赖软件包,包括那些可能包含已知安全漏洞的软件包。
Palantir 将提供常见软件包和捆绑包的修补版和更新版。然而,自动将用户编写的代码迁移到这些新版本可能会导致管道或集成中断。此外,我们无法负责更新和管理 Foundry 用户使用的所有软件的所有版本。
因此,管理用户编写代码所依赖的依赖项和软件包中的软件版本是客户的责任。在极端情况下,Palantir 可能会在未事先通知或警告的情况下,推送破坏性的软件包升级以缓解严重安全问题(例如 log4j)。