Vulnerability Management Policy
The policy aims to:
Proactively detect and mitigate vulnerabilities before exploitation, reducing the risk of data breaches, service disruptions, game downtime, or compromise of player data.
Ensure the confidentiality, integrity, and availability of game servers, backend infrastructure, development environments, player analytics, and sensitive information.
Minimize impact on live mini-games, player experience, rapid development cycles, and business operations.
Comply with relevant regulations, international standards, and industry best practices for software/gaming companies.
Developer workstations, laptops, and build servers.
Game servers (cloud/on-premise), backend services, APIs, databases, caching, CDNs, and monitoring tools.
CI/CD pipelines, staging/test environments, container systems (Docker/Kubernetes if used).
Game engines (Unity, Unreal Engine), SDKs, third-party libraries, plugins, and dependencies.
Operating systems, firmware, middleware, runtime environments (Node.js, Python, etc.), web applications, and internal tools.
Any systems processing company data, player data (e.g., behavioral analytics, login info), or monetization flows.
This policy covers technical vulnerabilities in software, configurations, and dependencies. It does not cover physical security, personnel vulnerabilities, or client-side vulnerabilities on player devices (though the Company monitors public disclosures and issues recommendations via game updates or store notices when critical).
Vulnerability: A weakness in an IT asset that could be exploited to compromise confidentiality, integrity, or availability.
Severity Levels (based on CVSS v3.1/v4 base score, exploitability, and business impact):
Critical: CVSS ≥9.0, actively exploited (e.g., KEV catalog), or direct threat to live games/player data.
High: CVSS 7.0–8.9, or significant business impact without active exploits.
Medium: CVSS 4.0–6.9.
Low: CVSS <4.0.
Remediation: Applying patches, configuration changes, mitigations (e.g., WAF rules, firewall blocks), or acceptance of risk.
Known Exploited Vulnerability (KEV): Vulnerabilities confirmed as exploited in the wild (per CISA KEV catalog or equivalent).
CTO / CISO / Security Lead: Overall accountability; approves policy, exceptions, risk acceptances, and annual reviews.
Security / DevOps Team: Leads scanning, assessment, prioritization; coordinates remediation; tracks metrics and reporting.
Development Team: Validates remediations in dev/staging for game compatibility (e.g., no regressions in gameplay, networking, monetization); reports code-level vulnerabilities (e.g., insecure dependencies).
All Employees & Contractors: Report suspected vulnerabilities promptly; cooperate with scans and remediations; do not disable security tools.
Third-Party Vendors / Cloud Providers: Notify Company of vulnerabilities affecting managed services; provide remediation timelines.
Perform automated vulnerability scanning (e.g., weekly on production, bi-weekly on dev/staging) using qualified tools.
Monitor threat intelligence feeds, vendor advisories (Unity/Unreal, AWS/GCP/Azure, OS vendors), CVE databases, CISA KEV, and dependency checkers (e.g., OWASP Dependency-Check, Snyk if used).
Conduct manual code reviews, penetration testing, and dependency audits periodically.
Assess each vulnerability within 48 hours of detection using CVSS score, exploit maturity, asset criticality (e.g., live game servers > dev environments), and business impact (player data exposure, downtime risk).
Prioritize remediation based on severity and risk to mini-game operations.
Critical / KEV: Remediate within 48 hours (or immediately if exploitation detected); use compensating controls if patch unavailable.
High: Within 7 calendar days.
Medium: Within 30 calendar days.
Low: Within 90 days or next release cycle.
Prefer vendor patches; otherwise use mitigations (e.g., disable vulnerable features, apply WAF rules).
Test remediations in staging environments for game stability, performance, and player experience before production deployment.
Use blue-green/canary deployments to minimize live impact.
Verify successful remediation via rescans and functional testing within 7 days post-deployment.
Monitor for 30 days for regression or new issues.
If remediation is not feasible (e.g., breaks core gameplay), document formal risk acceptance with compensating controls, residual risk assessment, and CTO approval.
Track and review accepted risks quarterly.
Immediate escalation to Security Lead/CTO upon detection of active exploitation or zero-day affecting Company assets.
Activate incident response if compromise suspected.
Implement temporary mitigations (e.g., isolate affected systems, block exploit traffic).
Accelerate remediation/testing/deployment.
Notify affected players/regulators if personal data impacted (per APPI/GDPR).
Conduct root-cause analysis and post-incident review within 14 days.
Any deviation requires written justification, risk assessment, compensating controls, and approval by CTO/CISO.
Exceptions are time-bound (max 90 days unless re-approved) and tracked centrally.
Maintain centralized vulnerability tracking (e.g., ticketing system, dashboard) with details: vulnerability ID, detection date, severity, affected assets, remediation plan/status, owner, verification date.
Retain records for at least 12 months (or per regulatory requirements).
Provide quarterly reports to leadership: open vulnerabilities by severity, remediation SLAs met %, critical issues resolved, trends.
Annual training for relevant staff on vulnerability risks, reporting, and tools.
Integrate secure coding and dependency management into developer onboarding.
This policy is reviewed annually, after major incidents, regulatory changes, or significant infrastructure updates.
Non-compliance may result in disciplinary action, up to termination.
Periodic internal/external audits to verify effectiveness.