Open Source

Like most modern software, we rely on the contributions of the open source community to build Dovetail. We are also supporters of many open source projects that we use, both financially and through code contributions.

We also understand that our software supply chain is integral to protecting customer data and that our customers may want more information about our use of open source software. We have described the measures we take as it relates to open source software to ensure appropriate use and to reduce the risks of open source software.

We ensure that any open source code that we use is licensed under an appropriate license where it can be utilized and distributed within our services. These licenses include but are not limited to:

• MIT

• Apache 2.0

• BSD

• ISC

• MPL

We do not publicly provide attribution notices for all open source code used unless required by the license. We do use any open source code licensed under GPL.

We utilize a number of different mechanisms for detecting public vulnerabilities in open source software based on the development ecosystem.

For example, for JavaScript we leverage Yarn and GitHub's security alerts program. For Docker containers, we rely on Amazon ECR image scanning and Vanta. Alerts are push-based and are first raised and then triaged based on industry-recognized Common Vulnerability Scoring System (CVSS) scores. In the case of vulnerabilities that require remediation, we create issues in our issue tracker and monitor the SLA on those being resolved.

We have a formalized Vulnerability Management Policy and have more information on our approach to managing vulnerabilities at Infrastructure and Application Security.