Our Security team identifies, evaluates, and manages vulnerabilities across Redox, including corporate assets, applications, and cloud infrastructure. Our purpose is to reduce our risk exposure and support our goal to become the most trusted brand in healthcare technology.
It's important that all parties involved agree about how vulnerabilities should be handled (e.g., reporting, triage, and prioritization, including if and when vulnerabilities should be fixed).
We identify vulnerabilities via several sources, including:
- our engineers or customer-facing teams
- third-party audit or penetration test
- bug bounty program (Learn more about our responsible disclosure policy)
- vulnerability scans
- CERT or vendor advisories
- news / media (e.g., zero-day)
It’s important that vulnerabilities are rated consistently and transparently to arrive at objective, mutually agreed-upon severity ratings. At the highest level, we rate the risk of vulnerabilities by combining the CVSS rating, impact, and likelihood to score the vulnerability as follows:
Final score | Priority | General recommendation | SLA |
|---|---|---|---|
51–60 | P0 (“Critical”) | Remediation ASAP | 48 hours |
41–50 | P1 (“High”) | Prioritized / OOB remediation | 2 weeks |
31–40 | P2 (“Medium”) | Scheduled / routine remediation | 6 weeks |
21–30 | P3 (“Low”) | Plan resolution, as resources permit | 12 weeks |
<=20 | P4 (“Informational”) | No action currently necessary | None |
Resolution options include remediation, SLA overrides, mitigations, and risk acceptance.
When we identify a vulnerability, the team that owns that vulnerability decides how to address, what timeframe to expect (within established parameters), and how to document decisions and ultimate outcomes. Our Security team may schedule regular or ad-hoc discussions, provide consulting upon request, and periodically check in on open issues.
Our Security team is then encouraged to derive insights from vulnerabilities to drive their programs forward. For example, identifying the most common root causes of vulnerabilities and the affected functional areas by using custom labels and queries.
We also track and report metrics about identified vulnerabilities to our executive leadership.