Note

Identifier naming convention

• CVE-YYYY-XXXX: public ID for the security event

• CISA-YYYY-MMDD: for CISA event. Timestamp is the date we response.

• MD-YYYY-MMDD: internal accessment

  • MD-YYYY-MMDD-XX: multiple security events in one date

Statement on CVE YYYY-XXXX <short-description>

Note

<short-description>: Name of the event in 3-5 words

July 01, 2024

Information

<long-decription>

Note

<long-decription>: Public information about the security event. Use the CVE number or event’s name to look up this info.

• CVE: https://www.cve.org/

• CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

If CVE is unidentified, a quick Google search with keyword “<event-name> CVE” can narrow down the event info.

Example

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.

Risk

<status>

Note

<status>: Impact level of the security event on our infrastructure and services.

Impact level	Status	RST Syntax
We do not use tool.	Not Applicable	:bdg-info:`Not Applicable`
Usage of tool in very isolated case. Risk minimal.	Low	:bdg-success:`Low`
Maybe affected, internal only. Not extremely isolated situation.	Medium	:bdg-warning:`Medium`
Maybe affected, customer facing.	High	:bdg-danger:`High`

Example

Low

Response

<Melissa-official-response>

Example

Melissa Data Corporation (“Melissa”) was not impacted by the MOVEit Transfer Bug vulnerability. Any Melissa commercial web services or products were not impacted by this vulnerability.

Melissa will continue to follow all guidance provided for this vulnerability as necessary to prevent any future risks.