![[object Object]](https://umsousercontent.com/lib_yteZXpJQdUuJWoOB/kjk5nze8tj0eenxe.svg?w=308)
Vulnerability Management Policy
1. Introduction
PagerTree is committed to maintaining a secure and resilient platform for our customers.
As part of this commitment, PagerTree maintains a formal Vulnerability Management Program designed to identify, assess, prioritize, and remediate security vulnerabilities across our systems, applications, and cloud infrastructure.
This policy outlines PagerTree’s approach to scanning, evaluating, and remediating vulnerabilities based on risk and severity.
2. Scope
This policy applies to:
- All PagerTree-managed servers, services, applications, and cloud infrastructure
- All source code, dependencies, and container images used within PagerTree systems
- All employees and contractors responsible for development, infrastructure, operations, and security
3. Vulnerability Identification
PagerTree discovers vulnerabilities through multiple channels, including:
- Automated vulnerability scans (SAST, SCA, dependency checks, container scans)
- Cloud and infrastructure scanning tools
- Penetration testing and security assessments
- Bug bounty or coordinated vulnerability disclosures
- Threat intelligence and vendor security advisories
PagerTree continuously monitors for new vulnerabilities in software components, libraries, and services used to deliver the PagerTree platform.
4. Severity Classification
PagerTree assigns a severity rating to each vulnerability based on:
- Industry-standard scoring systems (e.g., CVSS)
- Vendor or security researcher advisories
- The relevance and exploitability in PagerTree’s environment
- Potential impact to customer data or service availability
PagerTree may upgrade or downgrade severity using expert judgment to reflect actual risk.
Severity levels include:
- Critical
- High
- Medium
- Low
- Informational
5. Remediation Timeframes
PagerTree prioritizes vulnerability remediation based on severity, impact, and exploitability.
The following timelines apply once a patch, mitigation, or validated remediation strategy is available:
| Severity | Required Timeframe |
|---|---|
| Critical | Within 24 hours |
| High | Within 1 week |
| Medium | Within 1 month |
| Low | Within 3 months |
| Informational | As necessary |
If no vendor patch is immediately available, PagerTree implements compensating controls (e.g., configuration changes, firewall rules, service isolation, monitoring enhancements) until full remediation is possible.
PagerTree continually reviews active vulnerabilities to ensure timely remediation aligned with these commitments.
6. Verification & Testing
Before deploying vulnerability fixes into production, PagerTree:
- Tests patches and updates in controlled environments
- Ensures compatibility with applications and services
- Validates that remediation does not negatively impact availability or functionality
Post-remediation, PagerTree re-scans or verifies that the vulnerability has been resolved.
7. Reporting & Tracking
PagerTree maintains a centralized process for tracking vulnerabilities through:
- Ticketing systems and automated workflow tools
- Dashboards and reports reviewed by engineering and security teams
- Escalations for past-due remediation items
PagerTree logs vulnerability information, remediation status, and closure evidence for audit purposes.
8. Third-Party & Dependency Risk
PagerTree evaluates vulnerabilities in:
- Third-party services
- Open-source components
- SDKs and external integrations
- Cloud service provider platforms
When a vulnerability affects a vendor or dependency:
- PagerTree monitors updates from the provider
- Applies patches as soon as they are released
- Implements temporary mitigations when required
PagerTree maintains a software bill of materials (SBOM) approach through automated scanning tools.
9. Customer Notification
If a vulnerability impacts customer data or creates material risk:
- PagerTree will assess the relevance and severity
- Notify customers consistent with legal, contractual, and responsible disclosure practices
- Provide guidance on any customer-side mitigations if applicable
PagerTree is committed to transparency and proactive communication.
10. Enforcement
Employees and contractors must follow PagerTree’s vulnerability management processes.
Failure to comply may result in:
- Revoked access privileges
- Reassignment of responsibilities
- Disciplinary action or contract termination
11. Review and Maintenance
This Vulnerability Management Policy is reviewed at least annually, or whenever significant changes occur in systems, development practices, or threat landscape.
Updates are approved by PagerTree Executive Management.
For questions regarding this Vulnerability Management Policy or PagerTree’s security program, please contact security@pagertree.com.