Haystack conducts vulnerability scans on all systems at least annually. Any identified vulnerabilities are logged, prioritized, and fixed according to their priority. Once a fix has been put in place, we rescan systems to ensure that the vulnerability has been properly addressed
Wherever possible, Haystack applies security patches automatically, to avoid any delays that could result in an exploitable vulnerability.This policy applies to both servers and endpoint devices (e.g. laptops). If security patches are not able to be applied continuously and automatically, they are applied on a regular schedule (e.g. patch Tuesday).Haystack does not use software that is unmaintained or has reached end-of-life (EOL). In the event that a product Haystack uses is nearing EOL and Haystack cannot transition off of it before the EOL date, we will purchase maintenance support or maintain the project ourselves.
Network and Codebase vulnerability scanning includes processes to scan for system mis-con figurations that could lead to exploits and known vulnerabilities in system packages. Some of the scanning that we conduct include: configuration scans of our current network to identify any potential misconfigurations scans and upgrades of server software to ensure server packages contain the latest security patches scanning of external packages in our codebase to ensure vulnerabilities are patched and versions are up to date with the latest security patches static application scanning (SAST) of potential vulnerabilities in our application based on common sources (e.g. insufficient I/O validation, XSS, etc.)
Haystack uses centralized logging, application performance management (APM) and security information and event management (SIEM) tools to continuously monitor system events. Haystack Security Team receives alerts when sensitive or suspicious events occur. Any suspicious activity is flagged for further investigation followed up until the anomaly is resolved or a security event is identified. In case a security incident is identified through system monitoring, Haystack Security Team members follow the steps laid out in the Security Incident Response Plan.
Company engages qualified third parties to conduct vulnerability scans / penetration tests on a regular basis. When Haystack engages third parties, we jointly define a scope and timeframe for testing / scanning that supports risk management goals without posing excessive disruption to the business (e.g. downtime from a successful exploit).
In our view, security vulnerabilities are bugs, and we treat them as such: by filing, prioritizing, and solving them on a timeline that is proportional to the business risk they pose.
When securityrelated bugs are identified, we first use CVSS to provide an initial risk rating to security related bugs. We use the calculator provided by NIST to calculate CVSS. Haystack’s CTO must be notified of any vulnerabilities with a CVSS score of 7 or greater.We prioritize bugs (security or otherwise) in the following order: Critical High Medium Low
Like any scoring system, CVSS is a guideline. Haystack’s Head of Engineering has the ultimate authority to adjust a bug’s priority rating to align with business objectives. A written explanation of any priority adjustment must be added to any issue where an exception is made.
To make sure that security-related issues are noted, we tag them with a “security” tag in our issue tracker. SecurityRelated Bugs are addressed according to the following timelines: Critical: 7 days High: 30 days Medium: 60 days Low: As business priorities permit
The Vulnerability Management Program Owner is responsible for defining Haystack’s program and ensuring that this document is kept up to date. Vulnerability Management Program Owner: Haystack CTO
For more information, please contact security@usehaystack.io
.svg){kind=small}
