What is Yotta's approach to remediating vulnerabilities?

How does Yotta approach the remediation of vulnerabilities that are found and how quickly do they aim to tackle these vulnerabilities?

If a vulnerability assessment identifies vulnerabilities in an application or service we provide, or we learn of new vulnerabilities through other means, we aim to remediate them based on the following:

Prioritising Based on Severity

Remediation efforts should be prioritised based on the severity of the vulnerability and its potential impact on the confidentiality, integrity, or availability of the vulnerable system or data. In the absence of a specific system to classify vulnerabilities, the Common Vulnerability Scoring System (CVSS) should be used to assign numeric scores to vulnerabilities and attempts to assist in the process of vulnerability triage.

Remediation Timeframes

After a vulnerability is detected and a fix is available, the timeline for remediation begins.

  • Critical (CVSS 9-10) Vulnerabilities:
    • Create corrective action plan within 2 weeks.
    • Remediate vulnerability within 1month.
  • High (CVSS 7-8.9) Vulnerabilities:
    • Create corrective action plan within 1 month.
    • Remediate vulnerability within 3 months.
  • Other Vulnerabilities:
    • Can be resolved based on availability of staff resources and effort required.

Corrective Action Planning

When creating the corrective action plan, it is important that they…

  • Validate that the vulnerability is properly identified and prioritised.
  • Include action-oriented descriptions of the steps that will be taken to mitigate the vulnerability.
  • Ensure that appropriate resources are, or will be, available to remediate the vulnerability.
  • Identify milestones in the remediation process to fully address and resolve the vulnerability.
  • Ensure that the schedule for resolving the vulnerability is achievable and allows for appropriate testing.

These plans are managed and tracked internally using our ticketing system.