Vulnerability & Threat Management Procedure

Last updated: March 11, 2025

Purpose

ItemIQ ("we," "our," or "us") maintains this Vulnerability and Threat Management Procedure to systematically identify, assess, prioritize, and remediate security vulnerabilities and threats across our systems, applications, and infrastructure.

Scope

This procedure applies to all systems, applications, cloud infrastructure, third-party dependencies, and development processes that support our products and services.

Vulnerability Identification

Sources of Vulnerability Information

  • Automated dependency scanning (e.g., npm audit, Snyk, Dependabot) for application dependencies
  • Vendor security advisories and patch notifications
  • Public vulnerability databases (e.g., NVD, CVE)
  • Internal security assessments and code reviews
  • Third-party penetration testing and security audits
  • Responsible disclosure and bug bounty reports

Threat Monitoring

  • Monitoring of threat intelligence sources relevant to our technology stack
  • Tracking of emerging threats affecting cloud providers (e.g., Firebase, Google Cloud)
  • Review of security bulletins from platform and framework vendors

Vulnerability Assessment

  • Vulnerabilities are assessed for severity (Critical, High, Medium, Low) and exploitability
  • Impact is evaluated based on affected systems and data sensitivity
  • Risk scoring considers CVSS (where applicable), business context, and compensating controls

Remediation and Patching

Remediation Timeframes

  • Critical: Remediation within 7 days or immediate mitigation
  • High: Remediation within 30 days
  • Medium: Remediation within 90 days
  • Low: Addressed in next planned maintenance or release cycle

Remediation Actions

  • Applying vendor patches and updates
  • Upgrading vulnerable dependencies to patched versions
  • Implementing configuration changes or compensating controls when patches are not available
  • Documenting accepted risks when remediation is deferred, with management approval

Verification and Tracking

  • Remediation is verified through re-scanning or validation
  • Vulnerability status is tracked until closure
  • Metrics (e.g., mean time to remediate) are reviewed periodically

Integration with Other Processes

  • Vulnerability management findings may trigger Incident Response procedures when active exploitation is suspected
  • New systems and applications are assessed before production deployment
  • Third-party and supply chain risks are considered in vendor selection and ongoing review

Review and Updates

This procedure is reviewed at least annually and updated to reflect changes in technology, threat landscape, or regulatory requirements.

Related Documents

Contact

For questions about this procedure or to report a vulnerability, contact: