Vulnerabilities

We ensure all critical or high vulnerabilities identified are addressed immediately and a subsequent scan is performed to validate resolution.

Details

1. Automated Vulnerability Scanning

   We use GitHub Dependabot to automatically monitor and scan dependencies for known vulnerabilities. Dependabot performs scheduled scans and alerts developers through GitHub's Security tab when issues are detected.

2. Trigger Conditions

   Dependabot performs scheduled scans of all dependencies and raises alerts when vulnerabilities are discovered. It also monitors for upstream changes to vulnerability data.

3. Critical and High Vulnerability Response

   Any critical or high-severity vulnerability is prioritised by the engineering team and addressed immediately. Dependabot PRs are reviewed and merged following the standard PR approval workflow.

4. Revalidation of Fixes

   Once a fix is applied and merged, the next scheduled Dependabot scan automatically validates the resolution of the issue. This ensures continuous validation without manual steps.

5. Risk-Based Triage for Other Vulnerabilities

   Medium and low-severity vulnerabilities are evaluated by engineering based on the context of usage and business impact. Risks may be deferred or mitigated through alternate controls as per the organisation's documented risk tolerance.