Vulnerability Management Policy

Objective

The purpose of this policy is to define the way in which FundApps detects, classifies, mitigates and corrects vulnerabilities on its Information System. Effective implementation of this policy will allow to reduce the probability and/or impact of vulnerabilities affecting the FundApps Information System

Scope

This policy applies to applications and infrastructure which makes up FundApps’ production environment. Physical vulnerability management is out of scope of this policy and managed by our hosting provider (AWS).

Vulnerability Detection

FundApps uses several layers of security controls to detect and remediate vulnerabilities:

A human-led penetration test performed by a CREST-accredited company is performed annually.
Static Application Security Testing (SAST) is performed against any change before being deployed to production.
Dynamic Application Security Testing (DAST) is performed against our platform weekly.
Infrastructure vulnerability scanning is performed against our infrastructure weekly.

FundApps' latest penetration test report and response to this report can be found in FundApps' Trust Portal.

Vulnerability Severity Ratings

Applications
Application vulnerabilities are rated based on their impact and likelihood. Possible vulnerability ratings are Low, Medium, High and Critical. The rating system is based on the OWASP Risk Rating Methodology (https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology).
Infrastructure
Infrastructure vulnerabilities are rated using the Common Vulnerability Scoring System (https://www.first.org/cvss/user-guide). Possible vulnerability ratings are None (0.0), Low (0.1 - 3.9), Medium (4.0 - 6.9), High (7.0 - 8.9) and Critical (9.0 - 10.0).

Vulnerability Acceptance, Mitigation and Correction

Process
Once vulnerabilities have been identified, rated and formalised, FundApps will manage risk treatment based on the following diagram:

By default, and as a maximum, the vulnerability acceptance period will be one year.

Applications
FundApps will endeavour to address vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Vulnerability mitigated, corrected or accepted (**)

<=2 (*)

<=5 (*)

<=20 (*)

(*) number of working days after application vulnerability report is formalised. (**) Critical or High vulnerabilities will not be accepted. In the worst case scenario FundApps will mitigate these to reduce the risk to Medium.

Infrastructure
FundApps will endeavour to address infrastructure vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Vulnerability mitigated, corrected or accepted

<=20 (*)

<=40 (*)

<=60 (*)

Best effort

(*) number of working days after vulnerability has been identified.

PreviousPrivacy Policy NextSecurity Exception Management Policy

Last updated 11 months ago

Was this helpful?

Objective

Vulnerability Detection

FundApps uses several layers of security controls to detect and remediate vulnerabilities:

A human-led penetration test performed by a CREST-accredited company is performed annually.

Static Application Security Testing (SAST) is performed against any change before being deployed to production.

Dynamic Application Security Testing (DAST) is performed against our platform weekly.

Infrastructure vulnerability scanning is performed against our infrastructure weekly.

FundApps' latest penetration test report and response to this report can be found in FundApps' Trust Portal.

Vulnerability Severity Ratings

Applications

Application vulnerabilities are rated based on their impact and likelihood. Possible vulnerability ratings are Low, Medium, High and Critical. The rating system is based on the OWASP Risk Rating Methodology (https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology).

Infrastructure

Infrastructure vulnerabilities are rated using the Common Vulnerability Scoring System (https://www.first.org/cvss/user-guide). Possible vulnerability ratings are None (0.0), Low (0.1 - 3.9), Medium (4.0 - 6.9), High (7.0 - 8.9) and Critical (9.0 - 10.0).

Vulnerability Acceptance, Mitigation and Correction

Process

Once vulnerabilities have been identified, rated and formalised, FundApps will manage risk treatment based on the following diagram:

By default, and as a maximum, the vulnerability acceptance period will be one year.

Applications

FundApps will endeavour to address vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Vulnerability mitigated, corrected or accepted (**)

<=2 (*)

<=5 (*)

<=20 (*)

Infrastructure

FundApps will endeavour to address infrastructure vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Vulnerability mitigated, corrected or accepted

<=20 (*)

<=40 (*)

<=60 (*)

Best effort

(*) number of working days after vulnerability has been identified.