Vulnerability Management Process

At Aampe, we are committed to maintaining the security and privacy of our users and their data. This document outlines our process for identifying, evaluating, and remediating security vulnerabilities in our systems and services.

Last updated on:

Jul 1, 2025

Overview

We follow a structured and transparent vulnerability management lifecycle to protect our infrastructure, backend services, and customer data. Our goal is to rapidly detect, prioritize, and resolve security issues while minimizing risk to users and stakeholders.

Reporting a Vulnerability

We welcome reports from security researchers and the community. If you discover a vulnerability in our services, please contact us:

Email: security@aampe.com
PGP Key: Download public key
Fingerprint: 80E7 E16E 68DD 22EA 05D4 5FF7 D954 8640 931E 8FAA
Response Time: We aim to respond within 2 business days.

We support and adhere to Coordinated Vulnerability Disclosure (CVD) practices and will work with researchers to resolve issues transparently and responsibly.

Triage & Prioritization

All reported or internally discovered vulnerabilities are reviewed and scored based on:

Severity: Using CVSS v3.1 where applicable
Exploitability: Ease of exploitation
Impact: Potential effect on user data or systems
Exposure: Public-facing vs. internal systems

We classify issues into four categories:

Severity	Examples	Target Fix Timeline
Critical	Remote code execution, exposed secrets, auth bypass	48 hrs
High	Privilege escalation, sensitive data exposure	5 business days
Medium	DoS, misconfigurations	15 business days
Low	Informal, best practice violations	30 business days

Remediation Process

Issue Logged: All vulnerabilities are tracked internally in a secure ticketing system.
Owner Assigned: A relevant engineering team is assigned immediately.
Fix Developed: Patches or mitigations are developed and peer-reviewed.
Testing: Security regression and automated/unit tests are run to validate.
Deploy & Monitor: Fixes are deployed to production; relevant logs and metrics are monitored for anomalies.

Disclosure & Notification

If a vulnerability has user-facing impact, we will:

Notify affected users directly via email or Slack
Provide a summary of the issue and resolution
Share mitigation steps, if required

Continuous Improvement

We proactively strengthen our security posture by:

Running regular static and dynamic code scans (SAST/DAST)
Conducting third-party penetration tests annually
Using automated dependency scanning tools (e.g., Dependabot, Snyk)
Reviewing all infrastructure changes for security impact

Thank You

We appreciate the work of security researchers and our user community in helping us maintain a secure environment. Your trust matters to us.

Aampe Security