Warning
Work in Progress: This page is currently under construction. Content may be incomplete or subject to change. To contribute, see the contribution guide.
Vulnerability Management
Process for identifying, prioritising, and remediating security vulnerabilities in Patria Investments’ systems.
Scope
Covers vulnerabilities in:
- Application dependencies (third-party libraries and packages)
- Container images
- Cloud infrastructure configuration (Azure, GCP)
- Operating systems and server software
Sources
| Source | Tool / Method | Frequency |
|---|---|---|
| Dependency scanning | GitHub Dependabot | Continuous |
| Container image scanning | Integrated into CI/CD pipeline | On every build |
| Cloud configuration | Azure Defender for Cloud, GCP Security Command Center | Continuous |
| Penetration testing | External vendor | Annual |
| Threat intelligence | Security team subscription | Ongoing |
Severity and remediation SLAs
| Severity | CVSS Score | Remediation SLA |
|---|---|---|
| Critical | 9.0 – 10.0 | Within 24 hours |
| High | 7.0 – 8.9 | Within 7 days |
| Medium | 4.0 – 6.9 | Within 30 days |
| Low | 0.1 – 3.9 | Next planned release |
Process
- Detection: Automated scanners or manual discovery identifies a vulnerability
- Triage: Security team assesses severity, affected systems, and exploitability
- Assignment: Ticket created in GitHub or ServiceNow and assigned to the responsible team
- Remediation: Team patches dependency, updates configuration, or applies workaround
- Verification: Security team confirms the fix
- Closure: Ticket closed with fix reference and date
Exception process
If a vulnerability cannot be remediated within the SLA, a formal exception must be submitted to the Security team including:
- Justification and business impact of deferral
- Compensating controls in place
- Target remediation date
- Approver (squad lead + Security team)
Contact
Security & Compliance team — see Contacts