Vulnerability Management

This document describes the processes that support the following company policies:

Responsibilities

TODO

Responsible for:

reporting vulnerabilities and/or vulnerability disclosures in accordance with the guidelines outlined here and in the Employee Handbook

TODO

Responsible for:

monitoring the implementation of this vulnerability management policy
leading employee awareness of this policy
reviewing this policy on an annual basis
communicating with internal and external stakeholders about vulnerabilities and/or vulnerability disclosures
taking steps to mitigate immediate risks
assisting with vulnerability investigations conducted by other departments within Narrative I/O

TODO:

TODO

Responsible for:

investigating and taking action to resolve vulnerabilities when required
communicating with internal stakeholders about the status of vulnerability remediation

The Vulnerability Management Policy describes the general guidelines and expectations for handling VDP submissions.

In practice, the following process is the one we use to handle these submissions:

Create a Shortcut ticket in the narrative-security workspace and tag it using the Vulnerability Disclosure Program label.
- Include the priority/severity in the description and fill the due date field based on its corresponding SLA in the table provided in the policy.
- Assign the ticket to the person who is on the Security On-Call Rotation.
- Attach a PDF print of the email / vulnerability report.
If the problem cannot be immediately addressed, reply to the vulnerability reporter with the estimate.
The person who is on the Security On-Call Rotation resolves or delegates the work and tracks it to completion.
Inform the vulnerability reporter of the fix and Cc security@narrative.io.
Include a PDF print of the email communication.
Use Shortcut conventions to link corresponding PRs to the ticket.