The Vulnerability Management Policy defines how botBrains finds, prioritizes, and fixes technical vulnerabilities in its software, dependencies, and infrastructure. It sets severity-based remediation timelines so that botBrains closes the most dangerous issues first.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
Scope
This policy applies to all botBrains production systems, application code, third-party dependencies, container images, and cloud configuration across our providers listed in subprocessors.
Identifying vulnerabilities
botBrains uses several continuous and periodic sources to surface vulnerabilities.
| Source | What it covers |
|---|
| Dependency scanning (Dependabot). | Continuously flags known-vulnerable third-party libraries in our GitHub repositories. |
| Image and configuration scanning (Trivy). | Scans container images and infrastructure-as-code and cloud configuration for known vulnerabilities and insecure settings. |
| Provider security advisories. | AWS, Hetzner, and DigitalOcean notifications for managed services and base images. |
| Sentry error tracking. | Surfaces runtime errors and anomalies that can indicate exploitable defects. |
| Security monitoring (Wazuh IDS/SIEM). | Monitors centralized logs for intrusion indicators and anomalies, as described in the Logging and Monitoring Policy and Network Security Policy. |
| Responsible disclosure. | External researchers report issues through the Responsible Disclosure Policy. |
| Penetration testing. | Planned independent testing of the application and production network (see gap below). |
The CISO assesses each finding and assigns a severity based on real-world exploitability and impact on customer data, which may differ from a scanner’s automatic rating. Remediation must complete within the timelines below, measured from the time the CISO confirms the finding.
| Severity | Definition | Remediation target |
|---|
| Critical. | Remote code execution, authentication bypass, or unauthorized access to customer data. | 24 hours |
| High. | Vulnerability affecting the security of the platform or its tenant isolation. | 7 days |
| Medium. | Issue affecting multiple users with limited interaction required. | 30 days |
| Low. | Minor issue affecting a single user or requiring significant prerequisites. | 90 days |
When the CISO upgrades a finding’s severity, the remediation clock resets and runs from the time of escalation, whereas a downgrade keeps the original remediation deadline. No change may deploy to production with an unresolved Critical or High finding unless the CISO records a documented, time-bound exception with a compensating control. A finding closes when botBrains deploys a valid fix, confirms a false positive, or records an approved exception.
Patching cadence
botBrains keeps all systems and applications current with security patches. botBrains applies dependency updates flagged by Dependabot through the normal CI/CD pipeline, following the same severity timelines above. Our providers largely handle operating system and managed-service patching under their certifications, and botBrains applies the application-level and configuration patches it controls.
Tracking and records
botBrains tracks findings to resolution as GitHub Issues with a severity label, an assigned owner, and a link to the source. The platform retains records of findings and their resolution for a minimum of 5 years to evidence remediation over time. The Data Retention Policy confirms the exact retention period.
Penetration testing (gap)
botBrains hasn’t yet performed an independent penetration test. Until one is scheduled and completed, we rely on continuous dependency scanning, secure development practices, and provider-level controls as interim measures. Commissioning an annual third-party penetration test of the application and production network is a planned improvement tracked in our security roadmap.
ISO 27001 mapping
This policy supports Annex A control 8.8 (management of technical vulnerabilities).
Review
The CISO owns this policy and reviews it at least annually and whenever a material change to our scanning tools, infrastructure, or testing programme occurs.