Monthly Vulnerability Review Procedure

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This procedure defines the controlled monthly cadence under which Glassbreak reviews vulnerability information from every relevant source, classifies each open finding, assigns an owner and a remediation deadline, and produces signed minutes that an auditor can sample.

Severity classification follows section 3 of the Incident Response Policy. A finding whose severity warrants immediate response is handled under that policy rather than deferred to the monthly review.

2. Scope

The review covers every source of vulnerability information:

  • Dependabot alerts on all repositories in the Glassbreak organisation.
  • The output of npm audit for each workspace (api, web, mobile, and any tooling workspaces).
  • Advisories, status notices, and security bulletins issued by each current sub-processor (see /legal/sub-processors).
  • Residual findings from the most recent internal audit that have not yet been closed.
  • Findings carried over from the previous monthly review, with their current status.
  • Any coordinated-disclosure reports received in the period that were classified below the immediate-response threshold.
  • Outputs of the daily security-posture snapshot for the period that surfaced a control regression rather than an incident.

3. Ownership

  • Accountable owner — the Security Officer convenes the review and signs the minutes.
  • Engineering input — engineering provides the technical assessment of exploitability and remediation options for each finding affecting code or infrastructure.
  • Per-finding owners — each open finding has a named owner accountable for driving it to closure by the recorded deadline.

4. Cadence

  • One review per calendar month, scheduled for the first week of the month and completed within a +/- 7-day window of the target date.
  • A missed monthly review is itself a finding and is recorded as such on the next run.
  • Findings whose severity warrants immediate action are escalated to the Incident Response Policy and do not wait for the monthly window.

5. Severity

Every finding is classified at triage using the SEV-1 / SEV-2 / SEV-3 / SEV-4 scale defined in section 3 of the Incident Response Policy. The severity drives the remediation deadline that is recorded against the finding under the Remediation SLA procedure.

6. Procedure

6.1 Gather

  • Pull the current Dependabot alert list for every repository, including dismissed-with-reason entries.
  • Run npm audit for every workspace and capture the output.
  • Review every sub-processor advisory published since the previous review.
  • Refresh the list of open residual findings from the most recent internal audit.
  • Refresh the list of carry-over findings from the previous monthly review.

6.2 Triage

  • Deduplicate findings that surface from multiple inputs.
  • Assess exploitability in Glassbreak's context — for example, a dependency CVE that affects a code path Glassbreak does not reach is recorded with that rationale.
  • Assign or confirm severity per section 5.
  • Assign or confirm an owner for each open finding.
  • Set or confirm the remediation deadline per the Remediation SLA procedure.

6.3 Decide

  • For each finding, the review records one of: remediate (with deadline), accept (with rationale, expiry, and compensating control), or escalate (to the Incident Response Policy).
  • Acceptance decisions are entered in the risk register with the recorded expiry date.

6.4 Sign and file

  • The Security Officer signs the minutes.
  • The signed minutes are filed in the compliance evidence store and indexed by review date.
  • Each open finding is tracked in the standard issue tracker until closure.

7. Template

Each monthly review produces a single minutes document with the following structure. This template is the artefact that an auditor may sample.

  • Header — review identifier, period covered, target review date, actual completion date, Security Officer.
  • Inputs reviewed — list of every source with the count of new and open findings from each.
  • Open findings — numbered table with: finding identifier, source, summary, affected component, severity, owner, decision (remediate / accept / escalate), remediation deadline or acceptance expiry, current status.
  • Closed since previous review — list of findings closed in the period, with closure evidence reference and closure date.
  • Escalations — list of findings escalated to the Incident Response Policy in the period, with the incident identifier each was assigned.
  • Risk-register changes — any acceptance decisions added or expiring in the period.
  • Sign-off — Security Officer signature and date.

8. First instance

The inaugural monthly vulnerability review was completed on the effective date of this procedure (27 May 2026). It captured the baseline open-finding inventory across the in-scope sources. The signed minutes are held in the compliance evidence store and available under NDA.

9. Records

  • Signed minutes are retained for at least 5 years.
  • Acceptance decisions remain in the risk register until expiry or supersession.
  • Per-finding tracker records are retained as part of the issue tracker history.

10. Review of this procedure

This procedure is reviewed at least annually and after any material change to the input sources (for example, adoption of a new dependency manager or addition of a new sub-processor with its own advisory channel). The next scheduled review is 27 May 2027.

11. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.