Overview

Security is of the utmost importance to LabKey. We take a proactive approach to improving the platform and creating secure software, testing new and existing features for potential vulnerabilities. We also acknowledge that security issues will be identified after the software has been developed and deployed. As such, we have instituted the following policies.

Reporting Security Issues

We welcome reports of any issues that the community may identify. Please use our Contact Us form to securely send us information about potential vulnerabilities.

Assessment and Remediation

Whether we discover an issue ourselves or it is reported to us, the LabKey team will promptly assesses the issue, confirm if it is a true vulnerability, and determine a timeline for resolution based on the severity of the risk. We use the Common Vulnerability Scoring System (CVSS) to score the issue and guide our followup steps, completing the Base Score Metrics assessment under the following assumptions:

• The LabKey Server installation is on the public Internet
• Guest users can view at least Home project
• Self-registration is enabled, and logged in users are at least Submitters in one folder
• The server is configured and maintained following industry best practices

If the vulnerability is in code that is solely deployed in mitigating conditions (for example, in a module that is only used by one production installation which is behind a firewall and not on the public Internet), we will adjust the scoring accordingly.

We then compare the CVSS (version 3.1) score to the following industry ranges, and take the following actions:

Depending on the specific circumstances, we may take a more aggressive approach than what is described here.

LabKey Server CVEs

LabKey has patched the following Common Vulnerabilities and Exposures (CVE). We thank Tenable and Rhino Security Labs for their issue reports.

Related Topics

• Premium Resource: Best Practices for Security Scanning