Vulnerability Management Policy

Purpose and Scope

This Vulnerability and Patch Management Policy establishes a framework for identifying, assessing, and mitigating vulnerabilities in Code Town’s information systems. It aims to reduce security risks, maintain system integrity, and maintain compliance with regulatory requirements.

This policy applies to all information systems, networks, and applications owned or operated by Code Town, as well as all employees, contractors, and third parties responsible for managing these systems.

Policy Statements: Our Commitments

The following sections outline how Code Town manages the identification and remediation of vulnerabilities.

Bug Bounty & Vulnerability Program

We do not currently offer a bug bounty & vulnerability program. We welcome reports of security vulnerabilities. Information on found bugs or vulnerabilities can be sent to contact@shorebird.dev. Only reports will sufficient details (steps to reproduce, stated cause, possible remedies) will be investigated. We will respond to reports based on our assessment criteria which can be found later in this document.

Vulnerability and Patch Management Process

Code Town adopts a structured process for vulnerability and patch management to ensure vulnerabilities are identified and remediated before they can be exploited. This process includes:

• Vulnerability identification: Proactively scanning and monitoring systems for known vulnerabilities using approved tools and services.
• Vulnerability assessment: Assessing the criticality of identified vulnerabilities based on their potential impact on systems, data, and operations.
• Patch management: Applying security patches and updates to address vulnerabilities based on their severity and potential risk.
• Testing and validation: Testing patches in a controlled environment to ensure they do not negatively affect system performance or functionality before deployment.

Vulnerability Identification and Assessment

Three processes are relevant to identify vulnerabilities:

• Automatic security scans doing continuous monitoring on production systems
• Static analysis and dependency management tooling
• Regular penetration testing performed by a third party

Each identified vulnerability is assigned a priority or severity level to the issue to signal its urgency:

Sev Rating	Priority Level	TTR	Definition	Examples
P0	Critical	7 days	Vulnerabilities that can cause a direct, immediate impact on the confidentiality, integrity, or availability of a system. Exploitation typically requires little to no user interaction and can lead to complete system compromise.	Vulnerabilities that result in Remote Code Execution such as Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass
P1	High	30 days	Vulnerabilities that can cause a significant impact, but might have some mitigating factors such as requiring user interaction or being more difficult to exploit than P0 vulnerabilities.	Cross-Site Request Forgery (CSRF), XML External Entity (XXE), Man-in-the-Middle (MitM)
P2	Medium	90 days	Vulnerabilities that pose a moderate risk. They might not lead to full system compromise or require specific conditions to be exploitable.	Reflected XSS, Exposed Administration Panels, Open Redirects, Insecure Direct Object References
P3	Low	As Needed	Vulnerabilities that pose a limited risk to the system, often due to the limited scope of impact, difficulty in exploitation, or minimal potential damage.	Improper Information Disclosure, Missing Security Headers, Lack of Secure Flags on Cookies

Documentation of vulnerability findings should be preserved for a minimum of 5 years.

Patch Management and Remediation

Once vulnerabilities are identified and assessed, the following patch management activities take place:

• Patch prioritization: Vulnerabilities will be patched within the set TTR.
• Regular patching cycles: All systems will be patched during regularly scheduled maintenance windows to address medium and low-priority vulnerabilities.
• Emergency patches: In cases of immediate risk (e.g., zero-day vulnerabilities), emergency patches will be deployed outside of regular patching cycles, following testing and approval.
• Third-party software patches: Ensure that third-party applications and services are patched according to vendor advisories and within the same criticality framework.

Document and approve any exceptions to patching timeframes and implement compensating controls for systems that cannot be patched. Regularly review and reassess all exceptions.

Testing and Validation

All patches will be tested in a non-production environment to ensure they do not introduce new vulnerabilities or degrade system performance.

After patches are applied, systems will be monitored to verify that the patch has been successfully deployed and that no adverse effects have occurred.

Monitoring and Reporting

Monitoring and reporting are essential for tracking the effectiveness of vulnerability and patch management processes. This includes:

• Patch status monitoring: Tracking the patch status of all systems to ensure they are up to date.
• Vulnerability reports: Generating regular vulnerability assessment reports for senior management to highlight outstanding vulnerabilities and patch deployment status.

In the event of an exploited vulnerability, the incident will be escalated and managed as per Code Town’s incident response plan.

Compliance and Enforcement

Compliance with this policy is mandatory for all employees, contractors, and third parties with access to Code Town’s data.

In rare cases, business needs, local laws, or regulations may require exceptions. Management will approve any exceptions and define alternative solutions.

Non-compliance may lead to disciplinary action, including termination, as per Code Town’s policies.

Policy Review and Maintenance

This policy will be reviewed annually or when significant changes occur to maintain its continuing suitability, adequacy, and effectiveness.

Reviews must consider changes in the regulatory landscape.