Vulnerability Management Procedure (A.8.8)
Document ID: vulnerability-management-procedure
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual
Scope
Covers technical vulnerabilities in: application dependencies, runtime environments (Bun, Cloudflare Workers), infrastructure configuration, and custom code.
Vulnerability identification
| Method | Cadence | Tool |
|---|---|---|
| Dependency CVE scanning | Daily | Dependabot (dep-vulns collector) |
| Threat intelligence | Weekly | threat-intel-digest collector |
| External pentest | Annual | Third-party penetration test |
| Code security analysis | Per PR | TypeScript typecheck + governance hook |
| WAF alert monitoring | Continuous | Cloudflare WAF (waf-state collector) |
| Responsible disclosure | Ad-hoc | security@sigmashake.com |
Severity scoring
Use CVSS v3.1 base score as primary severity indicator:
| CVSS | Severity | Patch SLA |
|---|---|---|
| 9.0–10.0 | Critical | 72 hours |
| 7.0–8.9 | High | 7 days |
| 4.0–6.9 | Medium | 30 days |
| 0.1–3.9 | Low | Next planned release |
Response process
- Identify — Dependabot alert or manual report
- Triage — Assess exploitability in SigmaShake context (is the vulnerable code path reachable?)
- Patch or mitigate — Update dependency, apply workaround, or accept risk with documentation
- Verify — Confirm Dependabot alert closes; run
dep-vulnscron manually if urgent - Document — If CVE > 30 days open, create risk register entry
Accepted risk
Vulnerabilities may be accepted (not patched) if:
- The vulnerable code path is not reachable in SigmaShake's deployment (e.g., server-side-only CVE in a browser-only dependency)
- The patch introduces breaking changes and no mitigation is available
Accepted risks must be recorded in the risk register with justification and review date.
Responsible disclosure
SigmaShake accepts vulnerability reports at security@sigmashake.com. Reporters receive acknowledgment within 48 hours and a fix timeline within 7 days for exploitable vulnerabilities. We follow coordinated disclosure: 90-day embargo before public disclosure.
Evidence
| Collector | Cadence | Control |
|---|---|---|
dep-vulns | Daily | A.8.7, A.8.8, A.8.29 |
threat-intel-digest | Weekly | A.5.7, A.8.7 |
waf-state | Weekly | A.8.20, A.8.21, A.8.23 |
pen-test-report | Quarterly | A.5.35, A.8.29, A.8.34 |