Security Bug Fix Policy
Scope
The procedure we use to fix security bugs in our products is detailed below. It complements related policies such as the Change Control Process and Vulnerability Disclosure / Security Incident Notification Procedure.
At miniOrange, we take security seriously. In the unlikely event that a vulnerability is discovered in our products, the severity of security vulnerabilities can be classified into four categories:
- Critical: The most serious vulnerabilities that can result in total system compromise.
- High: Vulnerabilities with the potential to seriously jeopardize the system.
- Medium: Vulnerabilities that could partially compromise the system.
- Low: Vulnerabilities that slightly impact the system.
Time Frames of Fixes
- Critical severity bugs: fixed within 2 weeks of verification.
- High severity bugs: fixed within 4 weeks of verification.
- Medium severity bugs: fixed within 6 weeks of verification.
- Low severity bugs: fixed within 12 weeks of verification.
Incident Handling Process
The following table summarizes how incidents are handled based on severity:
| Severity | Customer Notification | Responsible Team | Escalation |
|---|---|---|---|
| Critical | Immediate – via Atlassian ticket and direct email | Senior Software Developers | Escalated to Security Team Lead & DPO |
| High | Prompt – via support channels (email/ticket) | Support & Senior Developers | Escalated to Security Team Lead |
| Medium | Notification via ticket/email | Support Team & Assigned Developer | Review in Weekly Security Sync |
| Low | Notification via ticket/email | Support Team | Logged & Monitored |
Note: All escalations follow cloud access limitations; no tenant data is accessed beyond app scopes.
Logging and Monitoring
- All identified vulnerabilities are logged, tracked, and monitored in a secure internal system.
- Access to logs and vulnerability reports is restricted to authorized personnel only.
- Reports include:
- Issue summary
- Method of resolution and changes applied
- Time and effort spent
- Prevention and future mitigation actions
- Logs are retained for at least 90 days (aligning with the Retention Defaults in the Privacy Policy).
- Releases are prioritized based on severity and tracked until full closure.
Policy Review
This policy is reviewed at least half-yearly. Lessons learned are incorporated into development lifecycles and training to ensure continuous security enhancement.
