Vulnerability Management Policy

Internal Policy Version 1.0 · Effective Date: May 18, 2026 · Next Review: May 2027

1. Purpose & Scope

This policy defines how Joliez Agency Inc. (“Joliez Agency”) identifies, evaluates, prioritizes, and remediates security vulnerabilities across its production systems, supporting infrastructure, third-party software dependencies, and the endpoint devices used by employees and contractors. It applies to every system that processes, stores, or transmits customer, employee, or financial data, and to every device with access to those systems.

2. Roles & Responsibilities

Chief Executive Officer (CEO) — policy owner; approves exceptions; reviews annually.
Chief Technology Officer (CTO) — enforces the policy; runs the scan cadence; tracks remediation against SLAs.
Employees & Contractors — keep their assigned endpoints current and report suspected vulnerabilities to security@joliezagency.com immediately.

3. Asset Inventory

The CTO maintains an inventory of assets in scope, refreshed at least quarterly:

Production web application — joliezagency.com on managed hosting (Apache web server, PHP 8.4), MySQL database, and any cron-scheduled jobs.
Production third-party services — Plaid Inc., Stripe Inc., SMTP/email delivery, the depository bank.
Application dependencies — tracked in a pinned dependency manifest and vendored alongside the application.
Endpoint devices — every Apple/Windows/Linux laptop or workstation used by an employee or contractor to access source code, production data, or administrative consoles.

4. Scanning Cadence

Asset class	Tooling	Frequency
Web application (TLS, headers, common web flaws)	Mozilla Observatory + Qualys SSL Labs (manual external scans)	Monthly
PHP & JavaScript dependencies	Dependency audit tooling against FriendsOfPHP / Packagist advisory DB	Weekly, automated; results written to the internal vulnerability log
Server-side runtime (Apache, PHP, OpenSSL)	Managed by hosting provider; CVE bulletins reviewed on release	Continuous (provider) + monthly review
Endpoint devices (macOS / Windows)	Built-in OS protections: macOS XProtect, MRT, Gatekeeper, FileVault, system firewall, Automatic Updates; Windows Defender + automatic updates where applicable	Continuous (daily definition updates by vendor)
Source-code review for new commits	Manual code review + GitHub Dependabot alerts (where the repository is hosted on GitHub)	On every change

5. Patching SLAs

Findings are triaged by severity using the CVSS v3.1 base score (or the vendor’s severity rating where CVSS is unavailable). The following remediation SLAs apply from the time the finding is confirmed:

Severity	CVSS Range	Patch / Mitigation SLA
Critical	9.0 – 10.0	Within 7 calendar days (or sooner if actively exploited; emergency change window may be invoked)
High	7.0 – 8.9	Within 30 calendar days
Medium	4.0 – 6.9	Within 90 calendar days
Low / Informational	0.1 – 3.9	Next scheduled release, not to exceed 180 days

If a fix is unavailable within the SLA window, the CTO must document a compensating control (e.g., WAF rule, configuration hardening, feature flag) and obtain CEO sign-off for any exception.

6. End-of-Life (EOL) Software

Software that has reached, or is within 90 days of, its vendor end-of-support date is treated as a High-severity vulnerability and is added to the remediation backlog. The CTO reviews the EOL status of every runtime, framework, and dependency at least quarterly, using vendor lifecycle pages (e.g., php.net supported versions, endoflife.date) and the official Apple/Microsoft support matrices.

As of the effective date of this policy: PHP 8.4, Apache 2.4 (provider-maintained), macOS (current release), and PHPMailer 6.x are all within their vendor support windows.

7. Endpoint Hardening Baseline

All employee and contractor devices that access production systems must meet, and are verified at least quarterly to meet, the following baseline:

Full-disk encryption enabled (FileVault on macOS, BitLocker on Windows).
OS automatic updates enabled; security updates installed within SLA.
System firewall enabled; Gatekeeper / Smart App Control enabled.
Password manager required for all production credentials; reused passwords prohibited.
Multi-factor authentication required for every administrative account (hosting, DNS, banking, Plaid, Stripe, source-code repository, email).
Screen auto-lock ≤ 10 minutes.
No production data stored on removable media without encryption.

8. Vulnerability Reporting (External)

Security researchers and members of the public may report suspected vulnerabilities to security@joliezagency.com. We acknowledge reports within 3 business days and provide a status update within 15 business days. We do not pursue legal action against good-faith researchers who follow coordinated-disclosure norms (no data exfiltration beyond proof-of-concept, no service disruption, no public disclosure prior to remediation).

9. Record-Keeping & Audit

Scan results, remediation tickets, SLA exceptions, and quarterly EOL reviews are retained for a minimum of 24 months in the internal vulnerability log and the engineering tracker. These records are made available, on reasonable request and under NDA, to financial-services partners (including Plaid Inc.) and to auditors.

10. Policy Review

This policy is reviewed and re-approved at least annually by the CEO and CTO, and immediately following any of the following: a confirmed security incident, a material change to the technology stack, a change in applicable law, or a change in financial-data partner requirements. Each review is recorded in the change log below.

Change Log

v1.0 — May 18, 2026 — Initial policy approved by CEO. Owner: CTO.