Vulnerability Management Policy

Purpose & Scope

This policy defines how vulnerabilities — found internally, reported by users or disclosed in upstream advisories — are managed across the Ekosistem App stack.

Sources of Findings

Vulnerabilities are surfaced from the following sources:

• Dependency advisories surfaced via pnpm audit and the providers’ own security feeds.
• Code review findings during pull requests and architectural review.
• External reports via developer@plademy.com from researchers or users.
• Penetration tests when commissioned and post-incident root-cause investigations.
• Telemetry from Pino logs, rate-limit counters and AI moderation outcomes that signal abuse.

Prioritisation & SLAs

Findings are triaged within 1 business day and resolved against the following targets:

• Critical (CVSS ≥ 9.0 or active exploit) — patched or mitigated within 24 hours.
• High (CVSS 7.0–8.9) — patched within 7 days.
• Medium (CVSS 4.0–6.9) — patched within 30 days.
• Low (< 4.0) — fixed in the next routine release.
• When a workaround is necessary before a patch, it is documented and tracked to closure.

Remediation & Verification

Each remediation passes through:

• Reproduction of the issue against the affected component.
• Implementation behind code review — no direct commits to main without review.
• Verification that the fix resolves the reproduction case and does not regress neighbouring controls.
• Updates to relevant runbooks, OWASP mapping and policies if scope or controls have changed.

Disclosure & Contact

Security researchers are encouraged to report findings to developer@plademy.com. We commit to acknowledging reports within 3 business days and to coordinating disclosure timelines that prioritise user safety.