Vulnerability Management Program (VPM)
1. Purpose
The purpose of this document is to describe the general approach that DevOpsSystems GmbH follows to identify, assess, and address software vulnerabilities. The goal is to support the security, stability, and continuous improvement of our products and related development environments.
This program aims to ensure that potential vulnerabilities are recognized early, appropriately prioritized, and remediated in a consistent and transparent manner.
2. Scope
This Vulnerability Management Program applies to all software products developed or maintained by DevOpsSystems GmbH, including both Cloud-based (Atlassian Forge) and On-Premises (Data Center) solutions.
It also covers the internal systems and tools used to develop, test, and deploy these products.
3. Governance and Responsibility
Overall coordination and review of the vulnerability management process are typically overseen by the Technical Lead (or a designated team member responsible for security-related topics).
All team members involved in development, testing, or operations are encouraged to stay familiar with the principles outlined in this document.
4. Objectives
The main objectives of this process include
Identify vulnerabilities in code and dependencies
Evaluate and prioritize issues according to severity and potential business impact.
Remediate vulnerabilities in a timely and traceable way.
5. Tools
The vulnerability management process is supported by a range of tools and automation intended to make detection and remediation efficient and consistent.
Category | Tool / System | Purpose |
|---|---|---|
Static Analysis (SAST) | SonarQube | Identifies potential code-level issues and code smells during development. |
Dependency Scanning (SCA) | Snyk, OWASP | Detects known vulnerabilities in third-party libraries and open-source components. |
Dynamic Analysis (DAST) | OWASP ZAP (planned) | Detects runtime application vulnerabilities through simulated attacks. |
Issue Tracking | Jira Software | Records, prioritizes, and tracks vulnerability-related items. |
Documentation | Confluence | Maintains related procedures, reports, and improvement notes. |
6. Process Overview
Identification - Tools, Customer, Bug Bounty
Potential vulnerabilities are identified through automated scanning tools (e.g., Snyk, SonarQube), code reviews, and, where relevant, external input such as customer feedback.
Bug Bounty Programs
To complement internal security measures, DevOpsSystems GmbH may also participate in bug bounty programs when appropriate. The goal is to identify potential vulnerabilities early through independent expertise and to continuously enhance product security.
Triage & Assessment
After a vulnerability is reported, a triage period of about two weeks is generally allocated to review and assess the finding. During this period, the responsible team verifies the report, evaluates its relevance and severity, and determines the most appropriate next steps. Identified issues are classified based on severity (Critical, High, Medium, Low) and potential impact. Critical or high-severity items are typically treated with higher urgency and addressed as hotfixes, while lower-severity findings are scheduled as part of planned releases.
Severity | Description | Typical Impact |
|---|---|---|
Critical | A vulnerability that allows direct compromise of systems or customer data without requiring user authentication. | Immediate security or operational risk. |
High | A vulnerability that could compromise security or system through authenticated access. | High potential impact on confidentiality or availability. |
Medium | An issue that may allow limited access or information disclosure, or affect non-sensitive parts of the system. | It may allow limited data access or partial service disruption |
Low | Vulnerabilities with minimal business or operational impact, often requiring local or physical access to exploit. | Minimal operational or security impact. |
Remediation & Target Fix Timeframes
Once a vulnerability has been verified and prioritized, remediation activities can be planned and tracked through Jira. Fixes are developed and tested in alignment with the company’s established development and quality assurance practices.
The following timeframes serve as general guidance for how vulnerabilities are intended to be addressed based on their potential risk. Actual remediation schedules may depend on system complexity, customer deployment models, and release planning.
Severity | Cloud – Target Fix Time | Data Center – Target Fix Time |
|---|---|---|
Critical | Within 4 weeks | Within 12 weeks |
High | Within 6 weeks | Within 12 weeks |
Medium | Within 8 weeks | Within 12 weeks |
Low | Within 25 weeks | Within 25 weeks |
Communication
DevOpsSystems GmbH aims to handle communication regarding security vulnerabilities in a transparent and responsible way. The goal is to ensure that customers are informed about relevant updates while maintaining confidentiality and minimizing potential risks. Security-related updates are usually communicated through release notes.
Continuous Improvement
Vulnerability management is an ongoing process. Lessons learned from previous findings, incidents, or customer feedback are regularly reviewed to identify opportunities for process and tool improvements.