Vulnerability and PatchManagement Policy

Policy Statements

Last Updated: 07 October 2020

Haystack conducts vulnerability scans on all systems at least annually. Any identified vulnerabilities are logged, prioritized, and fixed according to their priority. Once a fix has been put in place, we re­scan systems to ensure that the vulnerability has been properly addressed

Patch Management

Wherever possible, Haystack applies security patches automatically, to avoid any delays that could result in an exploitable vulnerability.This policy applies to both servers and endpoint devices (e.g. laptops). If security patches are not able to be applied continuously and automatically, they are applied on a regular schedule (e.g. patch Tuesday).Haystack does not use software that is unmaintained or has reached end­-of-­life (EOL). In the event that a product Haystack uses is nearing EOL and Haystack cannot transition off of it before the EOL date, we will purchase maintenance support or maintain the project ourselves.


Network and Codebase vulnerability scanning includes processes to scan for system mis-con­ figurations that could lead to exploits and known vulnerabilities in system packages. Some of the scanning that we conduct include: ­ configuration scans of our current network to identify any potential misconfigurations ­scans and upgrades of server software to ensure server packages contain the latest security patches ­scanning of external packages in our codebase to ensure vulnerabilities are patched and versions are up­ to ­date with the latest security patches ­static application scanning (SAST) of potential vulnerabilities in our application based on common sources (e.g. insufficient I/O validation, XSS, etc.)

System Monitoring

Haystack uses centralized logging, application performance management (APM) and secu­rity information and event management (SIEM) tools to continuously monitor system events. Haystack Security Team receives alerts when sensitive or suspicious events occur. Any suspi­cious activity is flagged for further investigation followed up until the anomaly is resolved or a security event is identified. In case a security incident is identified through system monitoring, Haystack Security Team members follow the steps laid out in the Security Incident Response Plan.

External Vulnerability Scanning

Company engages qualified third parties to conduct vulnerability scans / penetration tests on a regular basis. When Haystack engages third parties, we jointly define a scope and timeframe for testing / scanning that supports risk management goals without posing excessive disruption to the business (e.g. downtime from a successful exploit).

Prioritization & Remediation

In our view, security vulnerabilities are bugs, and we treat them as such: by filing, prioritizing, and solving them on a timeline that is proportional to the business risk they pose.


When security­related bugs are identified, we first use CVSS to provide an initial risk rating to security related bugs. We use the calculator provided by NIST to calculate CVSS. Haystack’s CTO must be notified of any vulnerabilities with a CVSS score of 7 or greater.We prioritize bugs (security or otherwise) in the following order: ­Critical ­High ­Medium ­Low

Exception Handling

Like any scoring system, CVSS is a guideline. Haystack’s Head of Engineering has the ultimate authority to adjust a bug’s priority rating to align with business objectives. A written explanation of any priority adjustment must be added to any issue where an exception is made.

Resolution & SLA

To make sure that security­-related issues are noted, we tag them with a “security” tag in our issue tracker. Security­Related Bugs are addressed according to the following timelines: ­Critical: 7 days ­High: 30 days ­Medium: 60 days ­Low: As business priorities permit


The Vulnerability Management Program Owner is responsible for defining Haystack’s program and ensuring that this document is kept up­ to ­date. Vulnerability Management Program Owner: Haystack CTO

For more information, please contact