Vulnerability Management

A cornerstone of our security program is our proactive approach to vulnerability management. We are committed to continuously identifying, assessing, and remediating security vulnerabilities across our environment to protect our systems and your data from emerging threats.

Our Vulnerability Management Lifecycle

Our program follows a continuous lifecycle to manage vulnerabilities effectively.

1. Identification

We use a variety of methods to identify potential vulnerabilities:

  • Automated Scanning: We employ industry-standard tools to perform regular, automated vulnerability scans of our cloud infrastructure and applications.
  • Dependency Analysis: Our CI/CD pipeline includes Software Composition Analysis (SCA) to detect known vulnerabilities in our third-party libraries.
  • External Reports: We value and encourage reports from the security research community through our Responsible Disclosure Program.

2. Assessment & Prioritization

Once a potential vulnerability is identified, it is tracked and assessed to determine its risk level. We use the industry-standard Common Vulnerability Scoring System (CVSS) to assign a severity score (Critical, High, Medium, Low). This score, combined with the context of our environment, allows us to prioritize remediation efforts on the most critical risks first.

3. Remediation

We are committed to remediating identified vulnerabilities in a timely manner. We adhere to strict internal Service Level Agreements (SLAs) for remediation based on the vulnerability's severity:

  • Critical: Within 7 days
  • High: Within 14 days
  • Medium: Within 30 days
  • Low: Within 90 days

Remediation may involve applying a security patch, updating a configuration, or deploying a compensating control.

4. Verification

After a fix has been deployed, we re-scan the affected system to verify that the vulnerability has been successfully remediated.

Penetration Testing & Independent Assessments

In addition to automated scanning, regular, manual penetration tests of our systems are performed to identify complex vulnerabilities that automated tools may miss. This testing process provides a deep and continuous assessment of our security posture.

To complement our internal efforts, our public Responsible Disclosure Program allows us to leverage the skills of the global security research community. This provides an ongoing, independent source of security feedback, ensuring our platform is continuously scrutinized by a wide range of experts.