Vulnerability Management Policy
Purpose and Scope
Section titled “Purpose and Scope”This Vulnerability and Patch Management Policy establishes a framework for identifying, assessing, and mitigating vulnerabilities in Code Town’s information systems. It aims to reduce security risks, maintain system integrity, and maintain compliance with regulatory requirements.
This policy applies to all information systems, networks, and applications owned or operated by Code Town, as well as all employees, contractors, and third parties responsible for managing these systems.
Policy Statements: Our Commitments
Section titled “Policy Statements: Our Commitments”The following sections outline how Code Town manages the identification and remediation of vulnerabilities.
Bug Bounty & Vulnerability Program
Section titled “Bug Bounty & Vulnerability Program”We do not currently offer a bug bounty & vulnerability program. We welcome reports of security vulnerabilities. Information on found bugs or vulnerabilities can be sent to contact@shorebird.dev. Only reports will sufficient details (steps to reproduce, stated cause, possible remedies) will be investigated. We will respond to reports based on our assessment criteria which can be found later in this document.
Vulnerability and Patch Management Process
Section titled “Vulnerability and Patch Management Process”Code Town adopts a structured process for vulnerability and patch management to ensure vulnerabilities are identified and remediated before they can be exploited. This process includes:
- Vulnerability identification: Proactively scanning and monitoring systems for known vulnerabilities using approved tools and services.
- Vulnerability assessment: Assessing the criticality of identified vulnerabilities based on their potential impact on systems, data, and operations.
- Patch management: Applying security patches and updates to address vulnerabilities based on their severity and potential risk.
- Testing and validation: Testing patches in a controlled environment to ensure they do not negatively affect system performance or functionality before deployment.
Vulnerability Identification and Assessment
Section titled “Vulnerability Identification and Assessment”Three processes are relevant to identify vulnerabilities:
- Automatic security scans doing continuous monitoring on production systems
- Static analysis and dependency management tooling
- Regular penetration testing performed by a third party
Each identified vulnerability is assigned a priority or severity level to the issue to signal its urgency:
Sev Rating | Priority Level | TTR | Definition | Examples |
---|---|---|---|---|
P0 | Critical | 7 days | Vulnerabilities that can cause a direct, immediate impact on the confidentiality, integrity, or availability of a system. Exploitation typically requires little to no user interaction and can lead to complete system compromise. | Vulnerabilities that result in Remote Code Execution such as Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass |
P1 | High | 30 days | Vulnerabilities that can cause a significant impact, but might have some mitigating factors such as requiring user interaction or being more difficult to exploit than P0 vulnerabilities. | Cross-Site Request Forgery (CSRF), XML External Entity (XXE), Man-in-the-Middle (MitM) |
P2 | Medium | 90 days | Vulnerabilities that pose a moderate risk. They might not lead to full system compromise or require specific conditions to be exploitable. | Reflected XSS, Exposed Administration Panels, Open Redirects, Insecure Direct Object References |
P3 | Low | As Needed | Vulnerabilities that pose a limited risk to the system, often due to the limited scope of impact, difficulty in exploitation, or minimal potential damage. | Improper Information Disclosure, Missing Security Headers, Lack of Secure Flags on Cookies |
Documentation of vulnerability findings should be preserved for a minimum of 5 years.
Patch Management and Remediation
Section titled “Patch Management and Remediation”Once vulnerabilities are identified and assessed, the following patch management activities take place:
- Patch prioritization: Vulnerabilities will be patched within the set TTR.
- Regular patching cycles: All systems will be patched during regularly scheduled maintenance windows to address medium and low-priority vulnerabilities.
- Emergency patches: In cases of immediate risk (e.g., zero-day vulnerabilities), emergency patches will be deployed outside of regular patching cycles, following testing and approval.
- Third-party software patches: Ensure that third-party applications and services are patched according to vendor advisories and within the same criticality framework.
Document and approve any exceptions to patching timeframes and implement compensating controls for systems that cannot be patched. Regularly review and reassess all exceptions.
Testing and Validation
Section titled “Testing and Validation”All patches will be tested in a non-production environment to ensure they do not introduce new vulnerabilities or degrade system performance.
After patches are applied, systems will be monitored to verify that the patch has been successfully deployed and that no adverse effects have occurred.
Monitoring and Reporting
Section titled “Monitoring and Reporting”Monitoring and reporting are essential for tracking the effectiveness of vulnerability and patch management processes. This includes:
- Patch status monitoring: Tracking the patch status of all systems to ensure they are up to date.
- Vulnerability reports: Generating regular vulnerability assessment reports for senior management to highlight outstanding vulnerabilities and patch deployment status.
In the event of an exploited vulnerability, the incident will be escalated and managed as per Code Town’s incident response plan.
Compliance and Enforcement
Section titled “Compliance and Enforcement”Compliance with this policy is mandatory for all employees, contractors, and third parties with access to Code Town’s data.
In rare cases, business needs, local laws, or regulations may require exceptions. Management will approve any exceptions and define alternative solutions.
Non-compliance may lead to disciplinary action, including termination, as per Code Town’s policies.
Policy Review and Maintenance
Section titled “Policy Review and Maintenance”This policy will be reviewed annually or when significant changes occur to maintain its continuing suitability, adequacy, and effectiveness.
Reviews must consider changes in the regulatory landscape.