Introduction

This document details how to execute the Vulnerability Management Process as documented in our Vulnerability Management Policy. The policy document is the source of truth in case there are any discrepancies between the two documents. If you find conflicting information please raise it to the attention of the Security team.

Vulnerability management process

1. Discovery: A vulnerability from any source becomes an issue in the tracking board, in the Initial column.
2. Triaging: a member of the security team triages the vulnerability. If confirmed, they write a technical report in the security-issues repo and engage the code owner. This happens within 3 business days.
3. Engineering estimation: the code owner suggests a patch and provides an estimate of the effort to complete it within the SLA defined by the severity level assigned during the triage process.
4. Remediation: the code owner patches the issue. Security verifies the patch.
5. Disclosure: Security discloses the vulnerability according to our vulnerability disclosure process.

Vulnerability sources

We use a few tools to find vulnerabilities in our product, infrastructure and assets:

• Automated SAST/DAST: Trivy, Checkov
• Manual Testing
• Customer reports
• Internal reports
• Bug Bounty Program

We use the following to manage them and record information:

• Vulnerability board in GitHub: where we track the status of open vulnerabilities.
• security-issues repository: where we store technical write ups for vulnerabilities and discuss with Engineering teams.

Vulnerability reports

Our vulnerability reports are issues in the security-issues repository. There are a few issue templates to choose from when creating a new report. The important labels to be aware of are: