Marketplace Security Guidelines
Introduction
Camunda enforces security in every facet of its business, especially in those parts that access our customer’s data. In this marketplace, our partners can upload their connectors that interact with our product. This document outlines the security responsibilities of our partners, the different security requirements, and the timeframe for acknowledging, providing mitigation, and fixing vulnerabilities found in their connectors.
Partner Responsibilities
Partners are responsible for the security of their connectors or apps. This includes, but is not limited to, ensuring secure coding practices, regular vulnerability assessments and penetration tests, and adhering to all the security requirements outlined in this document.
Minimum Security Requirements
Data Protection
- Partners must ensure that their apps or connectors do not misuse, mishandle, or expose any sensitive data.
- All data must be encrypted in transit. TLS version 1.2 (or higher) must be used for encryption.
- The Connector shall not store any information outside of the Camunda Cluster that is installed in
Application Security
- The Connector shall not use versions of third-party libraries and dependencies that contain known critical or high vulnerabilities. In the event that vulnerabilities within these libraries and dependencies are identified, it is the responsibility of the application developer to address and rectify them as soon as possible
- All untrusted data, which includes any input that could potentially be manipulated to carry a web attack payload, must be thoroughly validated and sanitized by an application. To minimize the risk of injection-related vulnerabilities, it is essential to treat all user inputs as potentially harmful.
Privacy
Partners must respect the privacy of the end-users. The Connector shall not collect any credentials (passwords, API token, etc.)
Vulnerability Management
Partners must perform regular vulnerability assessments and fix any discovered vulnerabilities in a timely manner.
Vulnerability Management Timeframe
Vulnerabilities must be managed according to their CVSSv3 score:
| Severity | CVSSv3 Score | Time to Acknowledge | Time to Mitigate | Time to Fix |
| Critical | 9.0-10.0 | 24 hours | 48 hours | 4 weeks |
| High | 7.0-8.9 | 48 hours | 72 hours | 6 weeks |
| Medium | 4.0-6.9 | 5 days | 10 days | 8 weeks |
| Low | 0.1-3.9 | Accepted |
By adhering to these guidelines, we aim to ensure a robust security posture for our marketplace and protect the data and privacy of our customers
Missing the time frame
Failure to meet this timeframe will result in temporary or permanent removal of the Connector from the Marketplace.
Clear and readable code and dependencies
Partners must commit to providing clear, readable, and understandable code and dependency definitions, and not do anything that intentionally or unintentionally would lead to:
- Dependencies not being detected by vulnerability scanners
- Dependency versions not being detected or incorrectly being detected by vulnerability scanners
- Obfuscation of the function or behavior of the connector
- Obfuscation of malicious behavior
- Obfuscation of external communication
