How do we manage and remediate vulnerabilities?

We categorize vulnerabilities into four severity levels—Critical, High, Medium, and Low—based on their potential impact on systems, data, and users. Remediation timeframes are prioritized according to risk, ranging from 24-48 hours for critical issues to 3-6 months for low-severity vulnerabilities, aligning with industry standards like NIST and OWASP.

Created by Mustafa Ekim / October, 2024

We classify vulnerabilities into four main severity levels: Critical, High, Medium, and Low. These categories are determined based on the potential impact on our systems, data, and users.

The timeframes for remediation are prioritized according to the level of risk each severity represents, and our remediation process is aligned with industry best practices such as those recommended by the NIST or OWASP standards.

1. Critical

  • Definition: Vulnerabilities that can be exploited remotely without authentication and could result in a complete system compromise, unauthorized access to sensitive data, or severe disruption to services.
    • Remediation Timeframe: We aim to remediate critical vulnerabilities within 24 to 48 hours upon detection or notification. In some cases, immediate mitigation steps are taken while a full remediation plan is implemented.

      2. High

      • Definition: Vulnerabilities that require some level of access or interaction but can still lead to significant system compromise or unauthorized access to sensitive data.
        • Remediation Timeframe: High-severity vulnerabilities are addressed within 3 to 7 business days after they are identified.

          3. Medium

          • Definition: Vulnerabilities that could result in limited data exposure or system compromise but require more specific conditions (e.g., certain user permissions, physical access, or multiple exploitation steps).
            • Remediation Timeframe: Medium-severity vulnerabilities are typically remediated within 2 to 4 weeks, depending on the complexity of the fix and the potential for exploitation.

              4. Low

              • Definition: Vulnerabilities that pose minimal risk or require complex chains of exploitation to succeed. These vulnerabilities have a limited impact on the confidentiality, integrity, or availability of systems.
                • Remediation Timeframe: Low-severity vulnerabilities are typically addressed during routine patch cycles, usually within 3 to 6 months.

                  Additional Considerations

                  • Mitigating Measures: For critical and high-severity vulnerabilities, immediate mitigating actions (e.g., blocking access, applying temporary fixes) may be taken while working on a permanent solution.
                    • Regular Audits and Monitoring: Vulnerabilities are continuously monitored through automated systems, and we regularly audit our security posture to ensure that timeframes for remediation are met.
                      • Emergency Escalation: If a vulnerability is actively being exploited (zero-day), we engage our emergency response team to address it immediately, overriding standard remediation timelines.

                        Author

                        Mustafa Ekim

                        Mustafa Ekim, founder of TestInvite and QuizCV, brings nearly a decade of expertise in building online assessment platforms for custom, secure tests.
                        Go Back
                        Talk to a representative
                        Figure out if TestInvite is a good match for your organization