Penetration testing policy
Summary
The penetration testing policy describes rules and principles on how vulnerability testing is applied in our organization.
Principles
- Penetration tests should occur once per year, or after a major change to the architecture/infrastructure
- We are open to any customer initiated penetration test, providing
- It is announced and dates are agreed upon
- We receive an integral copy of the test report
- In case we initiate the penetration test, the tester should meet the competence requirements as defined on Security tester
- We have published a Responsible disclosure policy on our website
Scoring
- Vulnerabilities should be scored according to the Common Vulnerability Scoring System (CVSS), version 2 or 3
- Exceptions to the CVSS score (e.g. related to impact calculation) should be agreed upon with the penetration tester involved
- If arbitration is needed, a second opinion can be obtained from another penetration testing company
Treatment
Vulnerabilities are treated based on the CVSS score, as follows:
- Severity: None: CVSS2: - CVSS3: 0.0 Treatment: None
- Severity:Low: CVSS2: 0.0-3.9 CVSS3: 0.1-3.9 Treatment: Added to the backlog for the next version
- Severity:Medium: CVSS2: 4.0-6.9 CVSS3: 4.0-6.9 Treatment: Following the Incident management process, should be fixed within 1 month
- Severity:High: CVSS2: 7.0-10.0 CVSS3: 7.0-8.9 Treatment: Following the Incident management process, should be fixed within 1 week
- Severity:Critical: CVSS2: - CVSS3: 9.0-10 Treatment: Following the Incident management process, should be fixed immediately
Updated over 1 year ago