This policy describes Overcut’s vulnerability management practices, release process, and version support lifecycle for customer-managed deployments. It provides transparency into how Overcut identifies, remediates, and delivers security and stability updates.
This policy applies to customer-managed deployments that you run in your own environment: private cloud, on-premises, and air-gapped installations. It does not cover the Overcut-hosted (SaaS) offering, which Overcut patches and operates directly.
1. Purpose & Scope
This policy defines how Overcut identifies, triages, remediates, and ships fixes for security vulnerabilities in the Overcut platform, and the support commitments for released versions.
It applies to customer-managed deployments, including private cloud, on-premises, and air-gapped environments, and covers Overcut-developed application code and its dependencies.
This policy does not cover vulnerabilities in customer-managed infrastructure, including databases, message buses, object storage, Kubernetes clusters, operating systems, networking components, or third-party systems integrated by the customer.
2. Vulnerability Detection
Overcut continuously performs automated security analysis throughout the software development lifecycle.
| Control | Coverage | Frequency |
|---|
| Static application security testing (SAST) | Overcut-developed source code | Every pull request, primary branch push, and scheduled scans |
| Software composition analysis (SCA) | Open-source dependencies | Continuous |
| Infrastructure and configuration scanning | Infrastructure-as-Code and deployment configurations | Continuous |
| Dependency monitoring | Third-party dependencies and container images | Continuous |
3. Security Reporting
Security concerns, vulnerability disclosures, and suspected security issues may be reported to support@overcut.ai.
All reports are reviewed and processed through Overcut’s vulnerability management workflow.
4. Severity Classification
Vulnerabilities are classified using CVSS v3.1 base scores, adjusted where appropriate for exploitability, exposure, and impact within the Overcut platform.
| Severity | CVSS Range | Typical Characteristics |
|---|
| Critical | 9.0 - 10.0 | Remote code execution, authentication bypass, or significant data exposure with low complexity |
| High | 7.0 - 8.9 | Significant impact requiring specific preconditions or attack paths |
| Medium | 4.0 - 6.9 | Limited impact or increased attack complexity |
| Low | 0.1 - 3.9 | Minimal impact or defense-in-depth improvements |
| Severity | Target Remediation Timeframe |
|---|
| Critical | Within 7 days |
| High | Within 30 days |
| Medium | Within 90 days |
| Low | Next scheduled release |
6. Release Cadence
Overcut follows Semantic Versioning (MAJOR.MINOR.PATCH).
- Feature (minor) releases are typically published every one to three months.
- Patch releases are published as needed to address defects and non-critical issues.
- Security releases may be published independently of the regular release schedule whenever a validated security fix is available.
Prior to general availability, releases may undergo internal validation and testing through release candidate versions.
In exceptional circumstances involving actively exploited Critical vulnerabilities, Overcut may issue emergency hotfix releases outside normal release processes.
7. Version Support & End-of-Life
Each Overcut release is supported for six months from its General Availability (GA) date.
During the support period, Overcut provides:
- Security patches
- Critical bug fixes
- Backported Critical and High severity security fixes
Versions that have exceeded their six-month support period are considered End-of-Life (EOL) and no longer receive updates, patches, or backported fixes.
Customers running EOL versions may be required to upgrade to a supported version before receiving newly released fixes or security updates.
All previously released versions, including container images and Helm charts, are retained and remain available for installation or rollback purposes. Retention of release artifacts does not imply continued support or patch availability for EOL versions.
Response times, support availability, and support service levels are governed by the applicable customer agreement or support plan and are outside the scope of this policy.
8. Patch Delivery
Fixes are delivered as versioned, immutable release artifacts.
Kubernetes / Helm deployments
Customers apply updates using the corresponding released Helm chart version. Rollback can be performed by redeploying a previously released version.
Docker Compose / standalone deployments
Customers apply updates by pulling and deploying the released container image versions associated with the target release.
Air-gapped deployments
Customers may download released container images and deployment artifacts, transfer them into their internal environment, and publish them to their private registry. Updates and security patches can therefore be applied entirely within the customer network without requiring direct access to Overcut-hosted registries.
9. Customer Notification
For security-relevant releases affecting customer-managed deployments, Overcut will:
- Publish release notes describing relevant fixes and changes.
- Notify affected customers through established customer communication channels.
- Provide direct notification for Critical security issues together with recommended upgrade guidance where appropriate.
Overcut manages externally reported vulnerabilities in accordance with responsible disclosure practices.
10. Policy Review
This policy is reviewed periodically and updated as Overcut’s products, security practices, and release processes evolve.
This document describes Overcut’s current practices and version lifecycle commitments. Unless explicitly incorporated into a customer agreement, order form, or support agreement, it does not create contractual obligations and may be updated from time to time.
