# Vulnerability Management Runbook

**Version:** 1.0 — May 28, 2026  
**Owner:** Security Lead  
**Audience:** Internal engineering & security team

---

## 1. Objective

Continuously identify, triage, and remediate security vulnerabilities in Billslash Reach code, dependencies, infrastructure, and third-party services.

## 2. Scanning surfaces & cadence

| Surface | Tool | Cadence | Owner |
|---|---|---|---|
| Application dependencies (npm) | `bun audit` / GitHub Dependabot / Lovable dependency scan | On every push + weekly cron | Eng |
| Source code (SAST) | GitHub CodeQL | On every PR | Eng |
| Secrets in code | GitHub secret scanning (push protection on) | Every push | Eng |
| Database & RLS posture | Supabase Linter + Lovable Cloud Security Scan | Weekly + before each release | Sec |
| Web vulnerabilities (DAST) | OWASP ZAP baseline scan against preview URL | Monthly | Sec |
| TLS / headers | `ssllabs.com`, `securityheaders.com` | Quarterly | Sec |
| Cloud config | Cloudflare WAF rule review, Supabase auth settings review | Quarterly | Sec |
| Penetration test (third-party) | External vendor | Annually (and before any SOC 2 audit) | Sec |

## 3. Severity & SLAs

We use CVSS v3.1 base score, adjusted for exploitability in our environment.

| Severity | CVSS | Remediation SLA |
|---|---|---|
| Critical | 9.0–10.0 | **24 hours** (patch, mitigate, or take affected component offline) |
| High | 7.0–8.9 | **7 days** |
| Medium | 4.0–6.9 | **30 days** |
| Low | 0.1–3.9 | **90 days** (or accepted with documented justification) |

A finding can be downgraded only with written justification from the Security Lead (e.g., not reachable, mitigated by another control).

## 4. Workflow

1. **Triage** within 1 business day of detection.
2. **Open a tracking issue** with severity, CVSS, affected component, exploitation status, and target fix date.
3. **Remediate** within SLA. Acceptable forms: patch upstream, swap library, apply compensating control, isolate component.
4. **Verify** the fix with the same scanner that found it, plus a manual check where feasible.
5. **Close** the issue with links to the commit and verification evidence.

## 5. Exceptions

A vulnerability may be accepted (not fixed within SLA) only if:
- compensating controls reduce realistic impact to Low; AND
- the Security Lead and Engineering Lead both approve in writing; AND
- a re-review date is set (max 90 days out).

All exceptions are logged in the vulnerability exceptions register and reviewed quarterly.

## 6. Disclosure & external reports

- Coordinated disclosure inbox: `security@billslash.app` (PGP key on request).
- Acknowledge external reports within **2 business days**.
- Provide remediation timeline within **5 business days** of validation.
- Public credit on request, after fix is shipped.

## 7. Records

All scan reports, tickets, exceptions, and pentest reports are retained for **5 years** in restricted-access storage.

---

_Confidential — internal use only._
