NEXT has vulnerability management policies and procedures in place to describe how we monitor for new vulnerabilities, enforce timelines and processes for remediation.
Scanning and detection
NEXT utilizes a number of services to perform internal vulnerability scanning and package monitoring on a continuous basis.
NEXT employs automated and integrated security scans of the web application through HostedScan Security. Automated scans occur at least daily and any detected vulnerabilities immediately notify the engineering team.
Severity and timing
NEXT defines the severity of an issue via a low, medium, high, and critical rating to help properly assess and prioritize their vulnerability management processes.
Low Severity — Low severity vulnerabilities are likely to have very little impact on the business, perhaps because they require local system access.
Medium Severity — Medium severity vulnerabilities usually require the same local network or user privileges to be exploited.
High Severity — High severity vulnerabilities are typically difficult to exploit but could result in escalated privileges, significant data loss, and/or downtime.
Critical Severity — Critical severity vulnerabilities likely lead to root level compromise of servers, applications, and other infrastructure components. If a critical vulnerability cannot be addressed within timelines as defined, an incident response ticket will be opened, documenting what interim remediation has been made.
When a vulnerability is detected and verified, the engineering team will remediate vulnerabilities within the SLA depending on the severity.