Vulnerability Management
2024
The purpose of this Vulnerability Management Policy is to establish the processes, responsibilities, and procedures for identifying, assessing, and mitigating risks associated with software vulnerabilities in Fianu Labs' products.
This policy applies to all Fianu Labs employees, contractors, and third-party vendors involved in the development, support, and maintenance of Fianu. It also covers Fianu installations at customer sites and the infrastructure supporting Fianu operations.
Vulnerabilities may be identified through various methods, including automated vulnerability scanning, manual code reviews, third-party assessments, and customer or public disclosures.
Upon identification of a vulnerability, Fianu Labs will assess the risk associated with it. This assessment will include evaluating the potential impact, likelihood of exploitation, and the affected components of Fianu.
After completing the risk assessment, Fianu Labs will develop a plan to remediate the identified vulnerability. Remediation options include patching, implementing compensating controls, or accepting the risk. The chosen option should be in line with the risk level and potential impact on customers.
Once remediation efforts are complete, Fianu Labs will verify that the vulnerability has been effectively addressed and that there are no residual risks.
Fianu Labs will communicate with affected customers regarding the vulnerability, remediation plan, and any required actions on their part.
Exceptions to this policy may be granted in specific cases where adhering to the policy is not feasible or would cause undue hardship. Requests for exceptions must be submitted in writing and approved by senior management.
In cases where remediation efforts are not feasible or cost-effective, Fianu Labs may choose to accept the risk associated with a particular vulnerability. Such decisions must be documented, approved by senior management, and periodically reviewed.
This policy will be reviewed and updated annually or whenever significant changes occur in the organization or the regulatory environment. Additionally, the policy will be assessed after significant security incidents to identify potential improvements.