Introduction
This document details how to execute the Vulnerability Management Process as documented in our Vulnerability Management Policy. The policy document is the source of truth in case there are any discrepancies between the two documents. If you find conflicting information please raise it to the attention of the Security team.
Vulnerability management process
- Discovery: A vulnerability from any source becomes an issue in the tracking board, in the Initial column.
- Triaging: a member of the security team triages the vulnerability. If confirmed, they write a technical report in the security-issues repo and engage the code owner. This happens within 3 business days.
- Engineering estimation: the code owner suggests a patch and provides an estimate of the effort to complete it within the SLA defined by the severity level assigned during the triage process.
- Remediation: the code owner patches the issue. Security verifies the patch.
- Disclosure: Security discloses the vulnerability according to our vulnerability disclosure process.
Vulnerability sources
We use a few tools to find vulnerabilities in our product, infrastructure and assets:
- Automated SAST/DAST: Trivy, Checkov
- Manual Testing
- Customer reports
- Internal reports
- Bug Bounty Program
We use the following to manage them and record information:
Vulnerability reports
Our vulnerability reports are issues in the security-issues
repository. There are a few issue templates to choose from when creating a new report. The important labels to be aware of are: