Vulnerability Management Policy

1. Purpose

This policy defines how CloudFive identifies, prioritizes, remediates, and tracks security vulnerabilities in its systems and the client environments it manages.

2. Scope

Applies to all CloudFive-operated infrastructure, development endpoints, dependencies in client deliverables, and third-party software used in delivery.

3. Vulnerability Sources

• AWS Inspector — continuous scanning of EC2, Lambda, and container images
• AWS Security Hub — aggregated findings from GuardDuty, Config, Inspector, and Macie
• Dependabot / npm audit / pip-audit — dependency vulnerability scanning in CI/CD
• macOS system update notifications — endpoint OS/app patching
• CVE feeds (NIST NVD) — manual tracking for critical libraries

4. Severity & Remediation SLAs

5. Patching Procedures

• OS patches: reviewed weekly, applied within 30 days. Critical OS patches within 7 days.
• Application dependencies: npm audit fix or equivalent run before each deployment and in CI.
• Container base images: rebuilt from latest upstream on a monthly schedule, or within 7 days of a critical CVE.
• AWS Lambda runtimes: reviewed quarterly; deprecated runtimes migrated before AWS end-of-support date.

6. Exceptions & Risk Acceptance

Where a vulnerability cannot be remediated within SLA (e.g., a vendor has not yet released a patch), CloudFive will:

• Document the exception and the reason
• Apply a compensating control where possible
• Set a review date no more than 30 days out
• Notify affected clients where the vulnerability affects their data or systems

7. Responsible Disclosure

CloudFive operates a responsible disclosure program. If you discover a vulnerability in a CloudFive system, please report it to todd@cloudfive.net with subject [VULNERABILITY REPORT]. We will acknowledge within 2 business days and provide a remediation timeline. We ask for a 90-day coordinated disclosure window.