Skip to main content

Vulnerability management

Moodi Mahmoudi avatar
Written by Moodi Mahmoudi
Updated over 2 weeks ago

At a glance

NEXT AI runs continuous vulnerability management: automated daily web-app scans (HostedScan), host/package exposure checks (e.g., AWS Inspector and managed endpoint agent), and a documented remediation SLA (Critical 24h, High 3 days, Medium 1 month, Low best efforts). Findings are tracked to closure with owner assignment, validation before close, and records retained 5 years.

Independent testing: For our annual third-party web app & API test (method, cadence, latest results), see Penetration testing.

Scanning & detection

  • Web application: Automated scans via HostedScan Security run at least daily; engineers are alerted on detection.

  • Cloud & hosts: AWS Inspector and an endpoint security agent identify OS/package vulnerabilities and misconfigurations across managed assets.

Triage & SLAs

Severity levels:

Severity level

Description

Low

Low severity vulnerabilities are likely to have very little impact on the business, perhaps because they require local system access.

Medium

Medium severity vulnerabilities usually require the same local network or user privileges to be exploited.

High

High severity vulnerabilities are typically difficult to exploit but could result in escalated privileges, significant data loss, and/or downtime.

Critical

Critical severity vulnerabilities likely lead to root level compromise of servers, applications, and other infrastructure components. If a critical vulnerability cannot be addressed within timelines as defined, an incident response ticket will be opened, documenting what interim remediation has been made.

Remediation timelines: When a vulnerability is detected and verified, the engineering team will remediate vulnerabilities within the SLA depending on the severity. Ownership is assigned; work is tracked in the engineering backlog with due dates. SLA resets on upgrades in severity; no SLA relaxation on downgrades. CRITICAL/HIGH cannot ship to production unresolved without an approved exception.

Context: Pentest findings (if any) follow the same remediation SLAs shown here, details in Penetration testing.

Fix, validate, close

  • A finding closes only after a fix/mitigation is implemented (or false positive verified) and validated by Security/Reporter. Closure notes record where it was fixed and the targeted prod release date. Evidence is retained for 5 years.

Exceptions (compensating controls)

  • If a direct fix is not yet feasible, an Exception may be raised with compensating controls, approved by the Security Officer and the asset owner, and linked to the original finding for tracking.

Coordinated disclosure

  • Security researchers and customers can report issues to security@nextapp.co under NEXT’s Responsible Disclosure Policy; we acknowledge and work to resolve promptly.

Standards alignment:

Related topics

FAQ

Q: What are NEXT AI’s remediation SLAs?

Critical 24h, High 3 days, Medium 1 month, Low best efforts—applied from time of identification (or reset when severity is upgraded).

Q: Which scanners does NEXT AI use? Are scans really continuous?

Hosted app scans run daily via HostedScan Security; infrastructure/package exposure is checked with AWS Inspector and a managed endpoint agent.

Q: How does NEXT AI track and close findings?

Each finding is assigned an owner, fixed or mitigated, then validated before close; closure notes include the target prod release. Records are kept 5 years.

Q: What if a fix isn’t immediately possible?

An Exception can be approved with compensating controls by the Security Officer and asset owner; it’s linked to the original finding and reviewed until resolved.

Q: Do scanners replace penetration testing?

No—automated scanning complements (but doesn’t replace) our third-party annual pentests of the web app and APIs. See Penetration testing for method and latest results.

Q: How should external researchers report a vulnerability?

Email security@nextapp.co per our Responsible Disclosure Policy; we acknowledge and coordinate timelines for fix and disclosure.

Q: Which standards guide NEXT AI vulnerability management program?

We align to NIST SP 800-40 r4, OWASP VMG, and ISO/IEC 27002:2022 control 8.8 for managing technical vulnerabilities.

Did this answer your question?