# HandUp — Vulnerability Management SLA

**Version:** 1.0  
**Effective Date:** April 12, 2026  
**Classification:** Internal

---

## 1. Vulnerability Scanning

HandUp performs vulnerability scanning at multiple levels:

| Layer | Method | Frequency |
|-------|--------|-----------|
| Application dependencies | `pnpm audit` (npm advisory database) | Every build / pre-commit |
| Outdated packages | `pnpm outdated` (version drift detection) | Weekly |
| Infrastructure (OS, runtime) | Railway managed patching | Continuous (provider-managed) |
| Container/server instances | Railway managed infrastructure | Continuous (provider-managed) |

## 2. Patching SLA

Identified vulnerabilities are patched according to the following timelines:

| Severity | Response Time | Patch Deadline | Examples |
|----------|--------------|----------------|----------|
| **Critical** | Acknowledge within 4 hours | Patch within 24 hours | RCE, auth bypass, data exfiltration |
| **High** | Acknowledge within 24 hours | Patch within 72 hours | SQL injection, XSS, privilege escalation |
| **Medium** | Acknowledge within 3 business days | Patch within 30 days | Information disclosure, CSRF |
| **Low** | Acknowledge within 5 business days | Patch within 90 days | Minor information leak, best-practice deviation |

## 3. End-of-Life (EOL) Software Monitoring

- **Node.js runtime:** Minimum version enforced via `engines` field in `package.json` (currently `>=20`). Node.js 20 LTS is supported through April 2026; upgrades are planned proactively before EOL.
- **Dependencies:** `pnpm outdated` is run weekly to identify packages approaching or past EOL.
- **Framework versions:** Next.js, Expo, and Hono versions are tracked and upgraded within 30 days of major security releases.
- **Database:** PostgreSQL is managed by Railway with automatic minor version patching. Major version upgrades are evaluated within 60 days of release.

## 4. Scanning Commands

```bash
# Run vulnerability audit (flags high and critical)
pnpm security:audit

# Check for outdated dependencies
pnpm security:outdated
```

## 5. Responsibilities

- **Security Lead:** Triages audit findings, assigns severity, tracks remediation.
- **Engineering:** Applies patches within SLA timelines, verifies fixes.
- **All Personnel:** Reports suspected vulnerabilities immediately.