Appearance
Vulnerability Management Policy
Status: Active. Last updated April 11, 2026. Purpose: SOC 2 evidence for CC7.1 (Vulnerability Monitoring), CC8.1 (Change Management)
Policy
AskFlorence monitors all application dependencies for known security vulnerabilities and remediates them based on severity within defined timeframes.
Scanning
| Tool | Scope | Frequency | Configuration |
|---|---|---|---|
| GitHub Dependabot | npm dependencies (package.json) | Continuous (automated) | Enabled on askflorencehealth/ask-florence repo |
| npm audit | npm dependency tree | On every npm install | Default behavior |
Dependabot automatically creates alerts when vulnerabilities are published in the GitHub Advisory Database or the National Vulnerability Database (NVD).
Remediation SLAs
| Severity | Response Time | Remediation Time | Example |
|---|---|---|---|
| Critical | Same day | 24 hours | Remote code execution, auth bypass |
| High | Same day | 48 hours | DoS, data exposure |
| Medium | 3 business days | 7 business days | Limited-scope vulnerabilities |
| Low | Next sprint | 30 days | Theoretical or low-impact issues |
"Response time" = acknowledge and assess the alert. "Remediation time" = patch deployed to production.
Process
- Detection: Dependabot creates an alert on the repo's Security tab
- Assessment: Review severity, affected component, and exploitability
- Remediation: Update the vulnerable dependency to the patched version
- Verification: Confirm build passes and no regressions
- Deployment: Push to production
- Evidence: Git commit references the CVE and Dependabot alert number
Evidence Trail
All vulnerability remediations are tracked via git history. Each security patch commit includes:
- The CVE identifier
- The Dependabot alert number
- The version change (before → after)
- Build verification (must pass before push)
Git is the remediation log. No separate spreadsheet or ticket required — the commit history is the auditable record.
Remediation History
| Date | CVE | Severity | Package | Fix | Commit |
|---|---|---|---|---|---|
| April 11, 2026 | CVE-2026-23869 | High | next 16.2.2 → 16.2.3 | DoS via Server Components | 37c3054 |
This table is updated with each remediation. For complete history, see git log --grep="CVE" on the repo.
SOC 2 Control Mapping
| Control | Evidence |
|---|---|
| CC7.1 (Vulnerability Monitoring) | Dependabot enabled, continuous scanning, SLA table |
| CC8.1 (Change Management) | Remediation process, git commit trail with CVE references |
| CC7.2 (Anomaly Detection) | Dependabot alerts surface anomalous dependency states |