Vulnerability Management Policy

This document was derived directly from the official Armory Vulnerability Management Policy and Vulnerability Standard Operating procedure. A more recent version may exist. Contact Armory for the latest official version.

Overview

Armory recognizes the importance of finding and addressing software defects for ourselves, our customers, and the Spinnaker community. Our vulnerability management functions are key to identifying risks in our software and systems.

Purpose

Security vulnerabilities are inherent in computing systems and applications. Armory must limit the risk associated with the exploitation of published vulnerabilities by implementing a vulnerability management system in an effective, systematic, and repeatable manner with measurements taken to confirm its success. This policy provides guidance for implementing vulnerability and patch management protocols.

Scope

The information contained herein applies to automated and manual systems including those managed or hosted by third parties on behalf of Armory, Inc. (the “Company”). This policy pertains to Information Assets, regardless of form or format, used in support of the business and applies to employees, consultants, agents, vendors, and other independent contractors who manage or use the Company’s Information Assets. Collectively these resources shall be referred to as “Personnel” or individually as “Users”.

Policy

Armory shall deploy a repeatable, continuous process to identify and mitigate security vulnerabilities within systems, applications, and networks. This implementation must include a process to identify, evaluate, and incorporate system updates and patches to ensure known security weaknesses are addressed in a timely and effective manner. Only trained administrators shall update production systems once technical solutions are authorized by the appropriate level of management.

Approved Tools & Scan Frequencies

Armory currently uses Aqua Security to scan images for vulnerabilities. At this time, AquaSec scans are the only scans that Armory accepts, as we have the capability of rerunning scans to ensure the resolution of identified vulnerabilities. Armory runs Aqua Security scans on code throughout the continuous integration (CI) process and scans are run for all new releases.

Third Party Reports

We do not accept scan reports generated by third parties, including customers, at this time. Upon request, Armory will provide the AquaSec scan results from the most recent release, pending a signed NDA or confidentiality agreement. Unregistered or zero-day vulnerabilities identified by third parties should be sent to [security@armory.io](mailto: security@armory.io) for triage and response. Whenever possible, [security@armory.io](mailto: security@armory.io) should be included in any correspondence regarding a reported vulnerability.

Prioritization

Newly detected vulnerabilities are evaluated using the Common Vulnerability Scoring System Calculator to recalculate the CVSS score based on applicable environmental and temporal considerations. Vulnerabilities are then assessed against our defined vulnerability taxonomy to determine the severity. High findings are evaluated by Armory Engineers for applicability. For applicable high-severity CVEs, a ticket is created, and the CVE is tracked through resolution.

Vulnerability Taxonomy

Armory uses the Common Vulnerability Scoring System (CVSS 3.0) for all Common Vulnerabilities and Exposures (CVE) provided by the National Vulnerability Database to determine the severity of vulnerabilities. SeverityDescriptionHigh CVSS 8.0 - 10.0, and may be readily compromised with publicly available malware or exploits. Medium CVSS 6.0 - 7.9, is not actively exploited, and no known exploit has been made publicly available. Low CVSS 0.0 - 5.9, and may be mitigated with reasonable efforts, is mitigated through other established controls, or is unable to be mitigated due to normal operations.

Disclosure

Public disclosure and customer notification will be coordinated by the account managers and customer success teams as necessary. **Note: **If a new CVE record needs to be created, Armory will coordinate these efforts with the Spinnaker Security SIG.

Limitations

Armory employees are not allowed to conduct scans or penetration tests of Armory systems that they are not directly responsible for. Third parties like AWS may have additional instructions which should be followed prior to performing any security tests against these systems.

Revision History

DateDescriptionAuthor2023-06-29Updated and Reviewed Shannon Smith, Security Compliance Manager 2022-03-01Updated and Reviewed Shannon Smith, Security Compliance Manager 2021-04-01Updated and Reviewed Shannon Smith, Security Compliance Manager 2021-04-01Reviewed and Approved Andrew Backes, Head of Engineering

Overview​

Purpose​

Scope​

Policy​

Approved Tools & Scan Frequencies​

Third Party Reports​

Prioritization​

Vulnerability Taxonomy​

Disclosure​

Limitations​

Revision History​