Appcircle Vulnerability Management Policy¶
Effective date: 2026-02-05 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)
Purpose¶
This policy establishes Appcircle's approach to identifying, assessing, tracking, and remediating technical vulnerabilities in its systems and infrastructure. Effective vulnerability management reduces the risk of exploitation by internal or external actors and protects the confidentiality, integrity, and availability of Appcircle's services and customer data.
Scope¶
This policy applies to:
- All Appcircle-operated systems, services, and infrastructure, including production environments hosted on Google Cloud Platform.
- All personnel involved in developing, operating, or maintaining Appcircle systems.
- Third-party components and dependencies incorporated into Appcircle's software.
Vulnerability identification¶
Appcircle uses multiple methods to identify technical vulnerabilities:
- Secure development training: Developers receive training on secure coding practices to reduce the introduction of vulnerabilities during the software development lifecycle.
- Peer code review: All code changes undergo peer review, which includes assessment of code quality and potential security vulnerabilities before approval.
- Vulnerability scanning: Third-party scanning tools are used to identify known vulnerabilities in Appcircle's systems, dependencies, and infrastructure.
- Penetration testing: Independent penetration testing is conducted at least annually by a qualified third party, combining automated scanning with human-led exploitation techniques to identify vulnerabilities that automated tools may miss.
Vulnerability assessment¶
Each identified vulnerability is assessed based on the likelihood and potential impact of exploitation. Severity is classified into five categories:
| Severity | Description |
|---|---|
| Urgent | Easily exploited by unskilled attackers; may lead to full server compromise and lateral spread across the network. |
| Critical | Easily exploited by skilled attackers; may lead to full server compromise and lateral spread across the network. |
| High | Can be exploited to obtain critical system information or cause service disruptions in systems and applications. |
| Medium | Does not directly lead to system compromise but exposes information such as application or system versions that could facilitate future exploitation. |
| Low | Low probability of direct or indirect exploitation; provides only basic information about systems. |
Vulnerability tracking¶
All identified vulnerabilities are logged and tracked through to resolution. Tracking records include the vulnerability title, description, and assessed impact of exploitation. Logging supports both operational oversight and retrospective analysis.
Vulnerability remediation¶
Vulnerabilities are prioritised and remediated according to their severity rating. Required resolution timeframes are:
- Urgent: 1 day
- Critical: 3 days
- High: 30 days
- Medium: 90 days
- Low: Best effort (no mandatory timeframe; tracked for awareness)
Roles and responsibilities¶
- Engineering Management (Policy Owner): Accountable for this policy; ensures adherence, review, and communication; approves exceptions.
- Engineering / Platform / Operations: Responsible for coordinating vulnerability management activities; oversees scanning and remediation; assesses effectiveness of controls.
- Developers: Follow this policy to ensure vulnerabilities are identified, assessed, logged, and remediated in a timely manner; report non-compliance or application difficulties to Engineering Management.
Regulatory alignment¶
This policy supports compliance with:
- SOC 2 (Trust Services Criteria — Common Criteria, Risk Management)
- ISO/IEC 27001:2022 (A.8.8 Management of technical vulnerabilities)
- GDPR (Article 32 — Security of processing)
- KVKK (Article 12 — Data security obligations)
Exceptions¶
Exceptions to this policy must be:
- Documented with justification, scope, duration, and compensating controls.
- Approved by the policy owner or an authorised delegate.
- Reviewed before expiry and retired when no longer required.
Policy review and updates¶
This policy is reviewed at least annually and when significant changes occur to systems, tooling, or threat landscape.
Note
This public policy describes Appcircle's vulnerability management posture at a high level. Detailed internal procedures (including specific scanning tools, remediation workflows, and penetration testing scope) are maintained separately and may be shared under appropriate agreements when required.
Related policies¶
- Information Security Policy
- SDLC Policy
- Change Management Policy
- Incident Response Plan
- Logging and Monitoring Policy
- Network Security Policy