Skip to main content
Skip table of contents

SignServer Third-party Vulnerability Management Statement

Purpose

To establish digital trust, Keyfactor SignServer customers require SignServer supply chain security to ensure security of SignServer and the customer use cases supported by SignServer.

Keyfactor is committed to maintaining a secure software supply chain for SignServer through proactive monitoring and analysis of vulnerabilities in third-party components included in the SignServer Container Set that may affect the security of SignServer as a product and of customer deployments of SignServer Container Set.

As part of every product release, we identify and evaluate vulnerabilities reported for third-party components included in the SignServer Container Set.

This process ensures that dependencies used within the SignServer environment are continuously monitored and appropriately mitigated.

Scope

Our third-party vulnerability management process applies to containers and the documented deployment methods distributed as part of the SignServer Container Set, including:

  • The signserver-ee container

  • Third-party modules, system packages, and runtime libraries

  • Container base images and OS layers

  • The SignServer Enterprise Edition Helm chart

This process focuses specifically on third-party Common Vulnerabilities and Exposures (CVEs) that could impact the SignServer Container Set deployed in Kubernetes according to the product documentation.

For security issues identified and resolved in SignServer’s proprietary product code and submitted as CVEs, refer to Archive of SignServer Security Issues.

Process Summary

1. Automated Scanning

Prior to each release, all containers undergo automated scans to identify publicly known CVEs in third-party software.

Scans are performed using industry-recognized tools that rely on trusted vulnerability databases such as the NVD.

2. Review and Analysis

CVEs with a Common Vulnerability Scoring System (CVSS) base score of 4.0 or higher (Medium or above) are analyzed to determine whether they affect SignServer deployed according to the product documentation for SignServer Container Set deployment in a way where exploitation of the vulnerability is feasible in real-world customer conditions.

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. For more information, refer to Common Vulnerability Scoring System: Specification Document.

3. Remediation and Mitigation

Potential vulnerabilities related to third-party CVEs may be remediated either a through a documented statement on why a CVE is not exploitable in SignServer as a product, a documented mitigation action, or availability of an upgraded SignServer version that does not show the CVE in scans.

4. Customer Communication

Availability of new versions and relevant mitigation information is announced via the Keyfactor Support Portal and associated product documentation updates.

SBOM Availability

A detailed Software Bill of Materials (SBOM) is published for every version of the SignServer Container Set, see SignServer Software Bill of Materials.

The SBOM lists all third-party components and versions included in the release, providing full transparency into the product’s dependency composition.

Vulnerability Analysis Report (VAR)

For each release, SignServer produces a CVEs and vulnerability analysis for SignServer Container Set summarizing:

  • Third-party CVEs identified during pre-release scanning, capturing CVEs publicly reported at least 15 days prior to SignServer release.

  • SignServer’s impact assessment and mitigation instructions, where applicable.

  • Any residual risks or pending actions.

The vulnerability analysis report is available to authorized customers within 30 days after each release on request.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close