Vulnerability Management Policy
Document Version: 1.0
Last Updated: July 19, 2025
SOC 2 Mapping: CC7.1, CC7.2, CC7.3, CC7.4, A1.2
1. Purpose
This policy establishes a structured approach to identifying, assessing, prioritizing, remediating, and verifying the resolution of security vulnerabilities across DevSecOpsBook systems, applications, and infrastructure. It ensures risks are effectively managed in alignment with SOC 2 trust principles for security and availability.
2. Scope
This policy applies to all:
- Servers, containers, endpoints, and cloud infrastructure
- Source code repositories and CI/CD pipelines
- Software dependencies, open-source components, and third-party libraries
- Employees and contractors responsible for managing systems
3. Responsibilities
- Security Team: Oversees vulnerability program and toolsets, conducts periodic scans, reports findings, and coordinates remediation.
- Engineering & DevOps Teams: Own remediation of vulnerabilities in code, infrastructure, and dependencies.
- Vendors: Must demonstrate adherence to acceptable patching and vulnerability handling practices.
4. Vulnerability Identification
- Automated Scanning: All production and staging systems must be scanned weekly using approved tools (e.g., Snyk, Trivy, AWS Inspector).
- Code Scanning: Static and dynamic analysis must be conducted on all code bases via CI pipelines.
- Dependency Checks: Use software composition analysis (SCA) tools to detect risks in third-party packages.
- Bug Bounty & Disclosures: Security team shall monitor and triage vulnerabilities reported via responsible disclosure programs.
5. Risk Rating & Prioritization
Vulnerabilities will be rated using CVSS (Common Vulnerability Scoring System):
- Critical (CVSS ≥ 9.0)
- High (7.0 ≤ CVSS < 9.0)
- Medium (4.0 ≤ CVSS < 7.0)
- Low (CVSS < 4.0)
6. Remediation Timelines
| Severity | Action Required | Time to Remediate |
|---|---|---|
| Critical | Immediate patch or mitigation | ≤ 24 hours |
| High | Prioritized remediation | ≤ 5 business days |
| Medium | Standard remediation | ≤ 15 business days |
| Low | Scheduled based on impact | ≤ 30 business days |
If remediation is not feasible, risk acceptance or compensating controls must be documented and approved by the CISO.
7. Verification & Retesting
- After remediation, retesting is mandatory to confirm closure.
- Closed vulnerabilities must be logged, and evidence maintained for audit purposes.
- Metrics on open, resolved, and overdue vulnerabilities shall be reviewed monthly.
8. Patch Management
- Systems and libraries must receive timely security updates.
- Patch deployment must follow the Change Management Policy and include testing in non-prod environments.
- Automated patching is preferred where feasible.
9. Reporting & Metrics
- Regular vulnerability reports must be shared with engineering leadership.
- KPIs such as mean time to remediation (MTTR) and patch compliance rates must be tracked.
10. Exceptions
- Exceptions must be formally documented, risk-accepted, and reviewed quarterly.