Vulnerability Management Policy

Effective Date: April 23, 2026

1. Purpose

This policy establishes procedures for identifying, assessing, and remediating security vulnerabilities in VaultKeeper systems within defined service level agreements (SLAs).

2. Vulnerability Identification

Vulnerabilities are identified through:

Vendor security advisories (Firebase, Cloudflare, Plaid, Teller, Apple)
GitHub security alerts and Dependabot notifications
Manual code reviews during development
Monitoring CVE databases for relevant components
Plaid and Teller security notifications

3. Severity Classification

Severity	CVSS Score	Description
Critical	9.0 - 10.0	Actively exploitable, direct access to consumer data, remote code execution
High	7.0 - 8.9	Significant risk, potential data exposure, privilege escalation
Medium	4.0 - 6.9	Limited risk, requires specific conditions to exploit
Low	0.1 - 3.9	Minimal risk, informational findings

4. Patching SLAs

Severity	Remediation Deadline	Actions
Critical	24 hours	Immediate patch or mitigation. Consider taking affected service offline if needed.
High	7 days	Prioritize patch deployment. Apply compensating controls if patch is delayed.
Medium	30 days	Schedule patch in next maintenance cycle.
Low	90 days	Address in regular development cycle.

5. Remediation Process

Assess: Determine severity, affected components, and potential impact
Mitigate: Apply temporary mitigations if a patch is not immediately available (e.g., WAF rules, feature flags, access restrictions)
Patch: Apply the fix, test in staging if applicable, deploy to production
Verify: Confirm the vulnerability is resolved
Document: Record the vulnerability, timeline, and remediation actions

6. Managed Service Vulnerabilities

For vulnerabilities in managed services (Firebase, Cloudflare Workers), remediation is handled by the service provider. Our responsibility is to:

Keep SDKs and client libraries updated
Monitor provider status pages and security bulletins
Apply any recommended configuration changes promptly

7. Responsible Disclosure

If a security vulnerability is discovered in VaultKeeper by an external party, we encourage responsible disclosure via the contact information in our Privacy Policy.

8. Policy Review

This policy is reviewed at least annually or after any significant security incident.