How do we manage and remediate vulnerabilities?

We classify vulnerabilities into four main severity levels: Critical, High, Medium, and Low. These categories are determined based on the potential impact on our systems, data, and users.

The timeframes for remediation are prioritized according to the level of risk each severity represents, and our remediation process is aligned with industry best practices such as those recommended by the NIST or OWASP standards.

1. Critical

• Definition: Vulnerabilities that can be exploited remotely without authentication and could result in a complete system compromise, unauthorized access to sensitive data, or severe disruption to services.
• Remediation Timeframe: We aim to remediate critical vulnerabilities within 24 to 48 hours upon detection or notification. In some cases, immediate mitigation steps are taken while a full remediation plan is implemented.

2. High

• Definition: Vulnerabilities that require some level of access or interaction but can still lead to significant system compromise or unauthorized access to sensitive data.
• Remediation Timeframe: High-severity vulnerabilities are addressed within 3 to 7 business days after they are identified.

3. Medium

• Definition: Vulnerabilities that could result in limited data exposure or system compromise but require more specific conditions (e.g., certain user permissions, physical access, or multiple exploitation steps).
• Remediation Timeframe: Medium-severity vulnerabilities are typically remediated within 2 to 4 weeks, depending on the complexity of the fix and the potential for exploitation.

4. Low

• Definition: Vulnerabilities that pose minimal risk or require complex chains of exploitation to succeed. These vulnerabilities have a limited impact on the confidentiality, integrity, or availability of systems.
• Remediation Timeframe: Low-severity vulnerabilities are typically addressed during routine patch cycles, usually within 3 to 6 months.

Additional Considerations

• Mitigating Measures: For critical and high-severity vulnerabilities, immediate mitigating actions (e.g., blocking access, applying temporary fixes) may be taken while working on a permanent solution.
• Regular Audits and Monitoring: Vulnerabilities are continuously monitored through automated systems, and we regularly audit our security posture to ensure that timeframes for remediation are met.
• Emergency Escalation: If a vulnerability is actively being exploited (zero-day), we engage our emergency response team to address it immediately, overriding standard remediation timelines.