Introduction
At MODX, we provide fully managed hosting on Ubuntu servers running their Long Term Support (LTS) editions of the operating systems. We take security seriously and handle all system updates and patches in-house. This article explains our patching policy.
Our Patching Policy
We apply security patches to all managed servers according to the following schedule, which is based on Ubuntu’s severity classifications and industry-standard best practices:
- Critical patches: Applied within 24 hours of release
- High patches: Applied within seven days of release
- Medium patches: Applied within 30 days of release
- Low and Negligible patches: Applied during routine maintenance cycles
Understanding Ubuntu’s Severity Classifications
Ubuntu classifies security vulnerabilities and their corresponding patches into the following severity levels:
- Critical: Easily exploitable vulnerabilities that can lead to system compromise, significant data loss, or service interruption.
- High: Vulnerabilities that are harder to exploit but could still lead to system compromise.
- Medium: Vulnerabilities that are more difficult to exploit or have less severe impact.
- Low: Minor vulnerabilities with limited impact.
- Negligible: Extremely minor issues or theoretical vulnerabilities.
These classifications help us prioritize patches and maintain the security of your hosted environment.
Understanding Ubuntu’s Backporting System
Ubuntu uses a security model called “backporting.” This means that security fixes are applied to the existing software versions without upgrading to newer major versions. This approach maintains system stability while addressing security vulnerabilities.
Important: Due to backporting, a package’s version number may not change even after applying security patches.
Our Commitment to Security
We continuously monitor for new security patches and apply them according to our patching policy. This proactive approach helps ensure that your hosted environment remains secure.
What If a Vulnerability Isn’t Patched?
In rare cases where a reported vulnerability has not yet been patched, we assess the risk and may take additional measures to mitigate it. We prioritize addressing any confirmed, unpatched vulnerabilities based on their severity classification.
Contact Us
If you have any questions about our patching policy or have concerns about specific vulnerabilities, please don’t hesitate to contact our support team.
Remember: Security is a partnership. While we manage server-level security, please ensure you follow best practices for application-level security within your hosted environment.