In February of this year we announced Fastly Security Advisories, which we publish to address vulnerabilities discovered on our own platform, as well as significant security vulnerabilities that affect the wider internet community.
Publishing advisories supports our security team’s vision for defending the modern web in two ways:
When we’re affected by a vulnerability, we want to be transparent, and provide either assurance or actionable information. We want customers to have access to the right information on an issue so they can accurately determine whether their platform is affected and whether any action is required to protect themselves. We also use advisories to provide detailed post-mortem information on an incident that may have affected customers, such as the GlobalSign TLS certificate revocation errors.
When our customers may be affected by a vulnerability, we see our CDN as a tool that can quickly deploy robust, virtual patches that help protect their application, without touching the origin server. An example of this is our advisory for how to mitigate the HTTP_PROXY vulnerability using our CDN.
Last week, we published a security advisory on our resolution of a vulnerability pointed out by a group of security researchers in our implementation of “forward secrecy.” Forward secrecy is a quality of TLS which prevents previously captured data from being decrypted, when TLS keys are stolen at a later date. While we weren’t directly contacted by the researchers, we’d previously been made aware of the issue, and addressed the vulnerability on Friday, November 11. No customer action is required to benefit from the fix.
Threats on the web aren’t going away. Our goal is to continue to work within the broader operator and vendor community to stay on top of emerging security issues, and leverage our security team and platform to deploy those mitigations both for our customers and the larger web community.
If you’d like to stay informed about future security issues and how Fastly mitigates them, you can sign up to receive emails when we publish new advisories here. If you are a security researcher and would like to report a vulnerability to our team, you can find our contact information and our PGP key here.