Security

Vulnerability Management

2024

Purpose

The purpose of this Vulnerability Management Policy is to establish the processes, responsibilities, and procedures for identifying, assessing, and mitigating risks associated with software vulnerabilities in Fianu Labs' products.

Scope

This policy applies to all Fianu Labs employees, contractors, and third-party vendors involved in the development, support, and maintenance of Fianu. It also covers Fianu installations at customer sites and the infrastructure supporting Fianu operations.

Vulnerability Management Process

1. Identification

Vulnerabilities may be identified through various methods, including automated vulnerability scanning, manual code reviews, third-party assessments, and customer or public disclosures.

2. Assessment

Upon identification of a vulnerability, Fianu Labs will assess the risk associated with it. This assessment will include evaluating the potential impact, likelihood of exploitation, and the affected components of Fianu.

3. Remediation

After completing the risk assessment, Fianu Labs will develop a plan to remediate the identified vulnerability. Remediation options include patching, implementing compensating controls, or accepting the risk. The chosen option should be in line with the risk level and potential impact on customers.

4. Verification

Once remediation efforts are complete, Fianu Labs will verify that the vulnerability has been effectively addressed and that there are no residual risks.

5. Communication

Fianu Labs will communicate with affected customers regarding the vulnerability, remediation plan, and any required actions on their part.

Remediation and Patching Service Level Agreement

CVSSv3 Score Severity Priority Mitigation Time Remediation Time
9.0-10.0 (Critical) Severity 1 Priority 1 24 hours 30 days
7.0-8.9 (High) Severity 2 Priority 2 N/A 45 days
4.0-6.9 (Medium) Severity 3 Priority 3 N/A 120 days
0.1-3.9 (Low) Severity 4 Priority 4 N/A 210 days

Exceptions Process

Exceptions to this policy may be granted in specific cases where adhering to the policy is not feasible or would cause undue hardship. Requests for exceptions must be submitted in writing and approved by senior management.

Risk Acceptance

In cases where remediation efforts are not feasible or cost-effective, Fianu Labs may choose to accept the risk associated with a particular vulnerability. Such decisions must be documented, approved by senior management, and periodically reviewed.

Roles and Responsibilities

  • Fianu Labs' Security Team is responsible for managing the vulnerability management program, including identification, assessment, remediation, and communication.
  • Developers are responsible for implementing security best practices during the software development process and addressing vulnerabilities in their code.
  • Customer Support is responsible for assisting customers with vulnerability remediation and providing any necessary guidance.

Policy Review

This policy will be reviewed and updated annually or whenever significant changes occur in the organization or the regulatory environment. Additionally, the policy will be assessed after significant security incidents to identify potential improvements.

Privacy Policy
Security Policy
Trust Center
© Fianu Labs, Inc.
LicensingPrivacy PolicyTerms & conditionsCookie policy