Vulnerability Management Policy

Purpose

The purpose of this policy is to establish vulnerability management controls and provide guidelines for their implementation. Vulnerability management encompasses source code, operating systems, runtimes, and devices, and vulnerability scans are performed externally via penetration testing and web application scans.

Scope

This policy applies to all systems classified as Customer Confidential as per the Data Classification Policy.

Ownership

Engineering is responsible for implementing and maintaining this policy.

Policy Statement

Zuar detects, classifies, tracks and resolves vulnerabilities across resources and components that comprise Zuar's product and infrastructure.

As some of Zuar’s customers deploy software into on-premise environments controlled by the customer, Zuar cannot force an upgrade, but will inform these customers of problems, available fixes, and communicate the relevant urgency of upgrading in line with severity.

For each detected vulnerability, Zuar assigns severity as follows:

  • Critical: The vulnerability can be exploited to gain root or admin access to data and systems containing Customer Confidential or Zuar Restricted data, or cause widespread performance degradation. Target resolution: 24-28 hours.
  • High: The vulnerability can be exploited to gain unauthorized access to sensitive data, but the exploit is difficult to execute, and requires an additional successful exploit, compromised system, or malfunctioning control. Target resolution: 1-7 days.
  • Medium: The vulnerability can be exploited to cause mild performance degradation or to gain access to sensitive data following multiple malfunctioning controls. Target resolution: 7-30 days.
  • Low: The vulnerability poses no immediate threat, is highly theoretical, or is not exploitable in the current context. These vulnerabilities may not require manual patching, and are often resolved by following the standard software upgrade process. Target resolution: scheduled to align with release cycle.

Vulnerability resolution adheres to the standard change management process described in the Change Management Policy.

Any exceptions to resolution windows must be approved by this policy’s owner and documented as a risk as outlined in the Risk Management Policy.

Pen testing

Zuar deploys software into single tenant, dedicated environments, so penetration testing initiated by Zuar is performed against the most common deployment. Customers reserve the right to purchase a penetration test of their specific environment.

Third-party vendors are used to perform penetration tests against the production system on a biannual basis for Zuar Runner and upon request for Zuar Portal. Identified Critical and High issues are promptly resolved and the rest are prioritized as appropriate.

Zuar compiles the result of each penetration test into a remediation report.

Patch Management

Patches and docker image updates are applied as needed.

Zuar's infrastructure employs a variety of virtual machines and containers. Base images for these are retrieved from trusted sources, such as the AWS AMI repository or the Official Images set on dockerhub. Any patches relevant to base images are added to the appropriate build process and deployed to production.

Vulnerability scanning

In an attempt to prevent vulnerabilities from reaching production environments, Zuar utilizes scanning techniques during its development and build processes. Additionally, Zuar uses tools to scan its production environment for vulnerabilities not caught by preventative measures. The resolution of any findings is performed in accordance with Zuar's Change Management Policy.

  • Patch Management
  • Vulnerability scanning
  • Pen testing