Vulnerability Management Policy

Purpose#

The purpose of this policy is to inform all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the Vulnerability Management of all systems, networks, and IT assets for which they are assigned ownership and maintenance.

Scope#

Vulnerability and patch management as applied to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

Compliance#

Compliance Measurement#

The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.

Exceptions#

Any exception to the policy must be reviewed and approved in advance by the Management Review Team.

Non-Compliance#

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

Continual Improvement#

This document is updated and reviewed as part of the continual improvement process.

Requirements#

Remediation Timeline and Scope#

All Production and Internet-facing systems, including both infrastructure and applications, must be scanned and patched in accordance with the criticality and remediation timelines outlined in this document.

Vulnerability and Misconfiguration Scanning#

Vulnerability scanning must be automated and should include misconfiguration detection wherever possible. Vulnerability and misconfiguration scanning must be done at least weekly.

Vulnerability Criticality Score#

DefectDojo Staff will apply criticality to technical vulnerabilities in accordance with the most current NIST guidelines and the most recent CVSS version (currently 3.0):

• Low: 0.1–3.9
• Medium: 4.0–6.9
• High: 7.0–8.9
• Critical: 9.0–10.0

Vulnerability Discovery and Triage Timelines#

• Medium and higher vulnerabilities must be triaged within 7 days of discovery.
• Emergency vulnerabilities (e.g., Log4J) must be triaged within 24 hours.

Patching Timelines#

Remediation from patch release or discovery date, according to severity:

• Low: 90 days
• Medium: 30 days
• High: 7 days
• Critical: 3 days if testing is required, otherwise 1 day

Configuration Correction Timelines#

DefectDojo Staff must remediate configuration or entitlement weaknesses for IaC, IaaS, IAM, and SaaS:

• Low: 30 days
• Medium: 15 days
• High: 7 days
• Critical: 1 day

Exceptions may be granted if fixes impact business operations, with compensating controls and a documented plan.

Attack Surface and Infrastructure Correction Timelines#

Remediation of infrastructure and perimeter findings:

• Low: 20 days
• Medium: 10 days
• High: 5 days unless it breaks access or transport
• Critical: 1 day unless it breaks access or transport

Risk exceptions may be granted with compensating controls and a plan to correct issues.

Remediation Principles#

Escalation and De-escalation of Vulnerabilities#

The Security Operations team may adjust the criticality of any vulnerability as appropriate.

Emergency-Rated Vulnerabilities#

Emergency-rated vulnerabilities must be patched within 24 hours or as soon as feasible and managed per the Incident Response Policy.

Vulnerability Assessments#

• Technical vulnerability assessments are conducted prior to production deployment.
• Quarterly automated vulnerability scans are conducted for all production environments.
• No intrusive scans are conducted on systems not under DefectDojo authority without explicit permission.

End-of-Life (EOL) Systems#

EOL systems must be replaced with the latest major versions without undue delay.

Patching Prioritization#

Phased rollout of patches must prioritize higher-risk systems.

Patching Deployment and Change Management#

• All patches must be tested prior to deployment.
• Customer environment uptime must be maintained per SLA.
• Patch deployment should follow Change Management Policy where feasible.

Relevant Documents#

• Incident Management Policy
• Change Management Policy