Vulnerability Management Process

At Aampe, we are committed to maintaining the security and privacy of our users and their data. This document outlines our process for identifying, evaluating, and remediating security vulnerabilities in our systems and services.

Last updated on:

Jul 1, 2025

Overview

We follow a structured and transparent vulnerability management lifecycle to protect our infrastructure, backend services, and customer data. Our goal is to rapidly detect, prioritize, and resolve security issues while minimizing risk to users and stakeholders.

Reporting a Vulnerability

We welcome reports from security researchers and the community. If you discover a vulnerability in our services, please contact us:

We support and adhere to Coordinated Vulnerability Disclosure (CVD) practices and will work with researchers to resolve issues transparently and responsibly.

Triage & Prioritization

All reported or internally discovered vulnerabilities are reviewed and scored based on:

  • Severity: Using CVSS v3.1 where applicable

  • Exploitability: Ease of exploitation

  • Impact: Potential effect on user data or systems

  • Exposure: Public-facing vs. internal systems

We classify issues into four categories:


Severity

Examples

Target Fix Timeline

Critical

Remote code execution, exposed secrets, auth bypass

48 hrs

High

Privilege escalation, sensitive data exposure

5 business days

Medium

DoS, misconfigurations

15 business days

Low

Informal, best practice violations

30 business days

Remediation Process


  1. Issue Logged: All vulnerabilities are tracked internally in a secure ticketing system.

  2. Owner Assigned: A relevant engineering team is assigned immediately.

  3. Fix Developed: Patches or mitigations are developed and peer-reviewed.

  4. Testing: Security regression and automated/unit tests are run to validate.

  5. Deploy & Monitor: Fixes are deployed to production; relevant logs and metrics are monitored for anomalies.

Disclosure & Notification

If a vulnerability has user-facing impact, we will:

  • Notify affected users directly via email or Slack

  • Provide a summary of the issue and resolution

  • Share mitigation steps, if required

Continuous Improvement

We proactively strengthen our security posture by:

  • Running regular static and dynamic code scans (SAST/DAST)

  • Conducting third-party penetration tests annually

  • Using automated dependency scanning tools (e.g., Dependabot, Snyk)

  • Reviewing all infrastructure changes for security impact

Thank You

We appreciate the work of security researchers and our user community in helping us maintain a secure environment. Your trust matters to us.

Aampe Security