Patch Management Policy
The primary objectives are to:
Mitigate security risks from known vulnerabilities in a timely manner.
Maintain the stability, availability, and performance of game servers, backend services, development environments, and other critical systems.
Minimize disruptions to live games, player experience, development workflows, and business operations.
Ensure compliance with applicable laws, international standards, and industry best practices.
Support rapid iteration typical in mini-game development and publishing while prioritizing security.
Developer workstations, laptops, and build machines.
Game servers (cloud-hosted or on-premise), backend APIs, databases, caching layers, and CDNs.
CI/CD pipelines, staging/test environments, and container orchestration systems.
Game engines and development tools (Unity, Unreal Engine, SDKs, third-party libraries/plugins).
Operating systems, firmware, middleware, runtime environments (Node.js, Python, etc.), and office productivity software.
Internal tools, websites, and any systems processing company or player-related data.
This policy does not cover client-side patching on end-user devices (handled automatically by app stores or game launchers). However, the Company will monitor and recommend client-side updates where critical vulnerabilities are publicly known.
Patch: Any software update (security fix, bug fix, feature update, or upgrade) released by a vendor to address vulnerabilities, improve stability, or add functionality.
Critical Patch: CVSS v3 score ≥ 9.0, actively exploited in the wild (zero-day or known exploits), or directly impacts live game services / player data.
High Priority Patch: CVSS 7.0–8.9, or patches with significant impact on stability/security but no active exploitation.
Medium/Low Priority Patch: All others.
Rollback: The process of reverting a system to a pre-patch state in case of issues.
CTO / IT Security Lead: Overall accountability for the policy; approves exceptions, emergency deployments, and annual reviews.
Security / DevOps Team: Monitors vulnerability feeds; assesses patch severity and business impact; coordinates testing, deployment, and post-deployment validation; maintains documentation and compliance reports.
Development Team: Tests patches in dev/staging environments for game-specific compatibility (e.g., gameplay mechanics, networking, performance, player data integrity); reports issues.
All Employees & Contractors: Report suspected vulnerabilities or patching issues; do not bypass or disable automated updates on company devices.
Third-Party Vendors / Cloud Providers: Must provide timely patch notifications and compliance evidence for managed services.
Use automated tools (vulnerability scanners, vendor advisories, CVE feeds, Unity/Unreal release notes, cloud provider dashboards) to monitor daily/weekly for new patches.
Subscribe to security mailing lists (e.g., US-CERT, vendor-specific alerts).
Evaluate patches based on: CVSS score, exploitability, affected assets, business impact (e.g., live game downtime risk), and relevance to mini-game infrastructure.
Classify and assign priority within 24 hours of release.
Apply patches first in non-production environments (dev → staging).
Conduct functional, performance, and security testing (automated unit/integration tests, load testing, gameplay regression).
Minimum test duration: 48 hours for routine patches; accelerated for critical.
Verify no regressions in player login, data sync, monetization, or core gameplay.
Critical patches: Deploy within 48 hours (or immediately for zero-days/exploits); use blue-green/canary deployments where possible.
High priority: Within 7 calendar days.
Medium priority: Within 14–30 days.
Low priority: During next scheduled maintenance window.
Schedule deployments outside peak player hours (e.g., avoid Japan prime time evenings/weekends).
Use automated tools (e.g., Ansible, cloud-native patch services, Jenkins pipelines) for consistency.
Post-deployment: Validate functionality within 24 hours via monitoring tools, logs, player feedback channels, and crash reporting.
Monitor for 7 days for latent issues.
Maintain pre-patch backups, snapshots, or immutable images for every deployment.
Document rollback procedures; test periodically.
In case of failure: Roll back immediately, notify stakeholders, and log incident.
Immediate notification to CTO / Security Lead upon discovery.
Rapid risk assessment (impact on live services / player data).
Accelerated testing (sandbox or limited canary rollout).
Deploy with monitoring in place; prepare communication to players if downtime expected.
Conduct post-incident review within 72 hours.
Any deviation (delay, skip) requires written justification, risk assessment, compensating controls (e.g., WAF rules, firewall blocks, monitoring), and CTO approval.
Exceptions are time-bound (max 90 days) and tracked.
Maintain centralized records of: patch ID, release date, assessment, test results, deployment date, verifier, and issues encountered.
Retain records for at least 12 months (or longer per compliance needs).
Quarterly summary report to leadership on patching status, exceptions, and metrics (e.g., % systems patched within SLA).
All relevant staff receive annual training on patch risks, procedures, and tools.
This policy is reviewed annually or after significant incidents, regulatory changes, or major infrastructure updates.
Non-compliance may result in disciplinary action up to termination.
Audits conducted periodically by internal security or external assessors.