Skip to main content

Vulnerability Management and Patch Policy

WeSalute's Vulnerability Management policies and procedures describe what systems are in place to monitor for new vulnerabilities, how often vulnerabilities are addressed, and the way in which those vulnerabilities are addressed. On average, 20-30 new vulnerabilities are released into the wild every day. WeSalute's internal vulnerability monitoring and external vulnerability scanning are in place to keep up with new threats while validating security controls put in place so that WeSalute's security posture is maintained.

Vulnerability Management & Patch Policy

  • WeSalute performs internal vulnerability scanning and package monitoring on a constant basis using:

    • Vanta, GitHub, G Suite, CrowdStrike, Google Cloud Security Command Center, Kolide, Kandji.io

  • WeSalute Security Team is responsible for communicating detected vulnerabilities and package updates needed to the appropriate EngineeringOps Team Members for resolution. EngineeringOps Team Members responsible for various infrastructure components are responsible for resolving detected vulnerabilities in a timely manner as defined by WeSalute's timing standards, as defined below.

Severity & Timing

WeSalute defines the severity of an issue via industry-recognized Common Vulnerability Scoring System (CVSS) scores, which all modern scanning and continuous monitoring systems utilize. The CVSS provides a way to capture the characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations property asses and prioritize their vulnerability management processes.

All vulnerabilities will be addressed within a reasonable timelines as defined by WeSalute procedural commitments.

Low Severity: 0.1 - 3.9

Low severity vulnerabilities are likely to have very little impact on the business, perhaps because they require local system access.

Medium Severity: 4.0 - 6.9

Medium severity vulnerabilities usually require the same local network or user privileges to be exploited.

High Severity: 7.0 - 8.9

High severity vulnerabilities are typically difficult to exploit but could result in escalated privileges, significant data loss, and/or downtime.

Critical Severity: 9.0 - 10.0

Critical severity vulnerabilities likely lead to root level compromise of servers, applications, and other infrastructure components. If a critical vulnerability cannot be addressed within a timelines as defined, an incident response ticket will be opened, documenting what interim remediations has been made.

Vulnerability & Patch Management Process

  1. A new vulnerability or a new patch is detected from the various monitoring and scanning WeSalute has in place.

  2. WeSalute Security Team enters vulnerability details or patch instructions into WeSalute's change management system, which is Jira, and assigns the ticket to the appropriate team member to address.

  3. The ticket assignee follows the change management process to implement the necessary change to apply the patch or address the new vulnerability.

  4. The ticket is updated with results from the applied change, detailing any exceptions into the WeSalute Risk Register.

  5. WeSalute Security Team checks the source from which the vulnerability originated to ensure that the change performed has addressed the vulnerability detected. The ticket is updated with the results, and closed out.

Exceptions

Any exception to the policy must be approved by WeSalute Security Team in advance, and placed on the Risk Register for monitoring and periodic review.

Policy Review, Disciplinary, & Responsibility

Responsibility

It's the CTO's responsibility to ensure this policy is followed.

Reviewing vulnerability scans and continuous monitoring findings, and dividing up resolution tasks, are the responsibility of the WeSalute Security Team.

All engineers and developers are responsible for investigating and resolving vulnerabilities assigned to them via patching and configuration changes, as they are assigned.

warning

This Policy currently does not have the complete required policy footer content standard on WeSalute Policies. This may be intentional by the nature of the content.