Vulnerability Management Policy
How Finpliq identifies, triages, fixes and records security weaknesses.
At a glance
- Security findings should be logged, prioritised and remediated based on risk.
- Responsible disclosure reports are welcomed through the published disclosure route.
Full policy
- Sources include dependency alerts, code review, internal testing, responsible disclosure, security scans and operational incidents.
- Findings are prioritised using likelihood, impact, data sensitivity, exploitability and whether customer or HMRC-related data is affected.
- Critical issues require immediate triage and mitigation. Lower-risk items should be scheduled into the release backlog with accountability.
- Vulnerability fixes must be regression-tested against authentication, tenant isolation and filing workflows.