Vulnerability Management Procedure
Organization: Aina Design Corp
Applies To: hawaii.mokunet.us · kuleana.ainadesign.org · huikoeaina.ainadesign.org · ainadesign.org
Version: 1.0
Effective Date: February 20, 2026
Next Review: February 20, 2027
Policy Owner: Security Lead
This procedure defines how Aina Design Corp identifies, assesses, prioritizes, and remediates security vulnerabilities in its platforms and dependencies — ensuring that student data is protected from known exploits and that district partners can trust the security posture of the platforms they use.
This procedure applies to:
•
All platform codebases (mokunet, kuleana, huikoeaina, ainadesign.org)
•
All third-party libraries and dependencies
•
All cloud infrastructure and configuration
•
All Firebase, Supabase, and hosting configurations
Aina Design Corp monitors for vulnerabilities from the following sources:
npm audit, automated CI checks
Every pull request + weekly
Subscription to CISA KEV catalog
OWASP-aligned peer review
4. Severity Classification and Response Times
CVSS 9.0–10.0; remote code execution, auth bypass
Patch within 24 hours; notify district partners
CVSS 7.0–8.9; significant data exposure risk
CVSS 4.0–6.9; limited or indirect risk
Address in next scheduled release
If a critical vulnerability cannot be patched within 24 hours, a documented compensating control (e.g., WAF rule, feature flag disablement) must be applied and the Security Lead notified.
5. Vulnerability Workflow
1.
Identify — Vulnerability detected via automated scan, advisory, or manual review.
2.
Assess — Security Lead confirms severity and affected systems.
3.
Prioritize — Assign remediation owner and target date based on severity table above.
4.
Remediate — Apply patch or implement compensating control.
5.
Verify — Confirm fix is deployed and vulnerability is resolved.
6.
Document — Record the vulnerability, assessment, remediation action, and closure date in the risk register.
7.
Notify (if applicable) — Notify district partners if a high/critical vulnerability may have exposed their data.
•
All production dependencies are tracked in package.json with locked versions.
•
Dependabot or equivalent is enabled on all repositories.
•
Dependencies with no available patch for a critical vulnerability are evaluated for replacement or isolation.
•
No dependency may be pinned to a known-vulnerable version without a documented risk acceptance from the Security Lead.
7. Secure Development Controls
All code changes pass through:
•
Automated dependency scanning in CI/CD pipeline
•
Peer code review (OWASP Top 10 awareness required)
•
Security-focused release checklist before production deployment
Where a vulnerability cannot be remediated within the target timeframe, a formal risk acceptance is documented by the Security Lead. Risk acceptances expire after 90 days and must be renewed with justification.
•
Weekly: Automated scan results reviewed
•
Monthly: Open vulnerability register reviewed
•
Annually: Full procedure review
Security Lead: _________________________
Engineering Lead: _________________________
Date Approved: _________________________