Loading

Salesforce Policy on Publishing Common Vulnerabilities and Exposures (CVE)

Publish Date: Apr 28, 2025
Description

At Salesforce, the security of our customers' data is our top priority. We understand that transparency is crucial in building and maintaining trust. To this end, we have a clear and stringent policy for disclosing security vulnerabilities through the Common Vulnerabilities and Exposures (CVE) framework.

Resolution

Salesforce as a CVE Numbering Authority

Salesforce is the CVE Numbering Authority (CNA) for all Salesforce products. This means we have the authority to assign CVE identifiers to vulnerabilities for all products within the Salesforce suite of products. We work in close partnership with MITRE to issue CVEs, ensuring that our customers are informed of vulnerabilities that require their attention for remediation.

 

When We Publish CVEs

We carefully evaluate the benefits of issuing a CVE against the potential risks. Our goal is to minimize the risk for all customers while maintaining transparency. We recognize that public disclosure elevates the risk of alerting potential attackers. Therefore, we only issue CVEs when it is appropriate and necessary.

Salesforce publishes CVEs when remediating the vulnerability requires action from external parties, typically our customers. This includes scenarios such as patching on-premise and open-source application software. 

 

CVE Publishing Criteria

We issue CVEs for vulnerabilities that meet both of the following criteria:

  • The vulnerability is rated as CRITICAL or HIGH and

  • Remediation of the vulnerability requires action from the customer.

 

Our Process

  1. Proactive Communication: Before issuing a CVE, we proactively communicate with impacted customers. This ensures they are aware of the vulnerability and the actions they need to take to protect their data and systems.

  2. 30-Day Notification Period: We issue CVEs 30 days after these proactive communications. This period allows our customers to address the vulnerability before it is publicly disclosed, minimizing the risk of exploitation.

 

Customer Assurance

We want to assure our customers that we are committed to maintaining the highest security standards. Our policy is designed to protect your data while providing you with the information you need to secure your systems. We appreciate your understanding and cooperation in maintaining the security of our products and your data.

Knowledge Article Number

004693694

 
Loading
Salesforce Help | Article