> ## Documentation Index
> Fetch the complete documentation index at: https://docs.botbrains.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Vulnerability Management Policy

> Vulnerability Management Policy sets how we identify, prioritize, and remediate technical vulnerabilities through scans, patching, and penetration tests

export const PolicyVersion = ({version, effective}) => <p><strong>Version {version}</strong> · Effective {effective}. Change history is tracked in version control.</p>;

The Vulnerability Management Policy defines how botBrains finds, prioritizes, and fixes technical vulnerabilities in its software, dependencies, and infrastructure. It sets severity-based remediation timelines so that botBrains closes the most dangerous issues first.

<Warning>
  botBrains is **not yet ISO 27001 certified**. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
</Warning>

<PolicyVersion version="1.0" effective="July 1, 2026" />

## Scope

This policy applies to all botBrains production systems, application code, third-party dependencies, container images, and cloud configuration across our providers listed in [subprocessors](/trust/subprocessors).

## Identifying vulnerabilities

botBrains uses several continuous and periodic sources to surface vulnerabilities.

| Source                                        | What it covers                                                                                                                                                                                                                               |
| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Dependency scanning (Dependabot).**         | Continuously flags known-vulnerable third-party libraries in our GitHub repositories.                                                                                                                                                        |
| **Image and configuration scanning (Trivy).** | Scans container images and infrastructure-as-code and cloud configuration for known vulnerabilities and insecure settings.                                                                                                                   |
| **Provider security advisories.**             | AWS, Hetzner, and DigitalOcean notifications for managed services and base images.                                                                                                                                                           |
| **Sentry error tracking.**                    | Surfaces runtime errors and anomalies that can indicate exploitable defects.                                                                                                                                                                 |
| **Security monitoring (Wazuh IDS/SIEM).**     | Monitors centralized logs for intrusion indicators and anomalies, as described in the [Logging and Monitoring Policy](/trust/policies/logging-and-monitoring-policy) and [Network Security Policy](/trust/policies/network-security-policy). |
| **Responsible disclosure.**                   | External researchers report issues through the [Responsible Disclosure Policy](/trust/policies/responsible-disclosure-policy).                                                                                                               |
| **Penetration testing.**                      | Planned independent testing of the application and production network (see gap below).                                                                                                                                                       |

## Severity ratings and remediation timelines

The CISO assesses each finding and assigns a severity based on real-world exploitability and impact on customer data, which may differ from a scanner's automatic rating. Remediation must complete within the timelines below, measured from the time the CISO confirms the finding.

| Severity      | Definition                                                                             | Remediation target |
| ------------- | -------------------------------------------------------------------------------------- | ------------------ |
| **Critical.** | Remote code execution, authentication bypass, or unauthorized access to customer data. | 24 hours           |
| **High.**     | Vulnerability affecting the security of the platform or its tenant isolation.          | 7 days             |
| **Medium.**   | Issue affecting multiple users with limited interaction required.                      | 30 days            |
| **Low.**      | Minor issue affecting a single user or requiring significant prerequisites.            | 90 days            |

When the CISO upgrades a finding's severity, the remediation clock resets and runs from the time of escalation, whereas a downgrade keeps the original remediation deadline. No change may deploy to production with an unresolved Critical or High finding unless the CISO records a documented, time-bound exception with a compensating control. A finding closes when botBrains deploys a valid fix, confirms a false positive, or records an approved exception.

## Patching cadence

botBrains keeps all systems and applications current with security patches. botBrains applies dependency updates flagged by Dependabot through the normal CI/CD pipeline, following the same severity timelines above. Our providers largely handle operating system and managed-service patching under their certifications, and botBrains applies the application-level and configuration patches it controls.

## Tracking and records

botBrains tracks findings to resolution as GitHub Issues with a severity label, an assigned owner, and a link to the source. The platform retains records of findings and their resolution for a minimum of 5 years to evidence remediation over time. The [Data Retention Policy](/trust/policies/data-retention-policy) confirms the exact retention period.

## Penetration testing (gap)

botBrains **hasn't yet performed an independent penetration test**. Until one is scheduled and completed, we rely on continuous dependency scanning, secure development practices, and provider-level controls as interim measures. Commissioning an annual third-party penetration test of the application and production network is a planned improvement tracked in our [security roadmap](/trust/roadmap).

## ISO 27001 mapping

This policy supports Annex A control 8.8 (management of technical vulnerabilities).

## Review

The CISO owns this policy and reviews it at least annually and whenever a material change to our scanning tools, infrastructure, or testing programme occurs.
