Vulnerability & Patch Management Policy

Updated today

โ€ข

2 min read

Purpose

Define how Perfect Wiki identifies, evaluates, prioritizes, and remediates security vulnerabilities across its application code, dependencies, and infrastructure.

Scope

The Perfect Wiki application, its dependencies (npm packages, base container images, OS packages), its cloud infrastructure, and any externally reported security issues.

Sources of vulnerability intelligence

  • Automated dependency advisories via GitHub Dependabot / yarn audit / npm audit.
  • Base-image and OS-package advisories from the upstream maintainer and Google Cloud.
  • Sentry error monitoring (surfacing exploit attempts and security-relevant failures).
  • Externally reported issues via [email protected] per the Vulnerability Disclosure page.
  • Vendor security advisories from sub-processors.

Severity & remediation SLA

Severity is assigned using CVSS v3.1 and adjusted for exploitability and exposure of Perfect Wiki specifically.

  • Critical (CVSS 9.0โ€“10.0): Patch or mitigate within 7 calendar days.
  • High (7.0โ€“8.9): Within 30 days.
  • Medium (4.0โ€“6.9): Within 90 days.
  • Low (< 4.0): Within 180 days or accepted as a known risk with documented justification.

Process

  1. Vulnerability identified from one of the sources above.
  2. Triage by the CEO/CTO: confirm applicability, assign severity, capture tracking entry.
  3. Remediation: dependency upgrade, code patch, configuration change, or compensating control deployed via the normal change-management process (or as an emergency change for criticals).
  4. Verification: re-scan / re-test confirms the fix.
  5. Reporting: critical and high findings, and their remediation status, are tracked and available for customer review on request.

Penetration testing

Independent third-party penetration testing is not currently performed on a fixed cadence. As Perfect Wiki grows and customer requirements evolve, the policy is to engage an external pentest provider at least annually. In the meantime, dependency scanning and external bug reports cover the equivalent surface.

Anti-malware

  • Production runtimes run on hardened Google Cloud-managed hosts; no general-purpose user workloads execute on production systems.
  • Engineering workstations run vendor-supplied endpoint security and OS auto-updates.

Roles & responsibilities

  • CEO/CTO: Owns vulnerability management, triages findings, approves risk acceptance.

Review cadence

Reviewed annually.

Last reviewed: 2026-05-21. Next review: 2027-05-21. Approved by: Ilia Pirozhenko, CEO/CTO.

Related Articles

Was this page helpful?