Patch management
Last reviewed 2026-05-18
Cadence
| Cadence | Scope |
|---|---|
| Weekly | Dependabot PRs for npm (grouped minor + patch); triaged within 7 business days |
| Monthly | Major dependency upgrade window (Next.js, Firebase SDK, NextAuth, Sentry); coordinated during the first non-release week of each month |
| Major changes | Review required third-party libraries, SDKs, platform runtimes, and managed-service integrations for continued vendor support before release |
| Continuous | GitHub Security Advisory alerts; local pre-push checks; manual CodeQL / Semgrep security workflow |
| Ad-hoc | High/critical CVE -> emergency change per SLA below |
Target SLAs
| Severity (CVSS v3.1) | Acknowledgment target | Remediation target |
|---|---|---|
| Critical (9.0-10.0) | Within 24 h | Within 24 h |
| High (7.0-8.9) | Within 48 h | Within 7 days |
| Medium (4.0-6.9) | Within 5 business days | Within 30 days |
| Low (< 4.0) | Triaged at monthly window | Opportunistic |
For vulnerabilities with known active exploitation (CISA KEV list), treat as Critical regardless of CVSS.
Remediation targets assume an applicable vendor-side patch is available where the vulnerability is in a third-party dependency. When safe remediation cannot be completed inside the target window — for example, because no vendor patch is yet available, a vendor patch introduces a breaking change, or the fix requires design changes that need a separate change-management review — the Security Officer must approve a time-bound exception, document why immediate patching is not feasible, add compensating controls, and set a review and expiry date in the internal exceptions register. We do not silently accept a high or critical vulnerability because a patch is difficult.
Tooling
- Dependabot: weekly grouped PRs for
npmdependencies. - Semgrep: SAST workflow runs the
p/owasp-top-ten,p/nextjs,p/r2c-security-audit, andp/nodejsscanrule packs with SARIF report artifacts retained for triage. - CodeQL:
security-and-qualityworkflow with SARIF report artifacts retained for triage. GitHub code-scanning upload can be restored in addition to artifact retention if code scanning is enabled for the private repository. npm audit: run in the manual security workflow and in the full local release check (npm audit --omit=dev --audit-level=high).- CycloneDX SBOM: generated by the security workflow, stored as an artifact, and committed to the source-controlled SBOM evidence set when the manual workflow is run from
master. The generated SBOM includes dependency-input freshness metadata so patch verification can compare the artifact with the current package lockfile and package dependency fields instead of relying only on file dates. - GitHub Dependabot security alerts and automated security updates: enabled on the repository; alerts route to the Security Officer and are triaged per the SLAs above.
- Scheduled patch verification: the weekly security workflow waits for SBOM generation, regenerates a local SBOM for the runner workspace, checks current-checkout npm audit high or critical findings, open Dependabot PR age, Dependabot alert SLA, and source-controlled latest SBOM freshness, and uploads a dated patch-verification report artifact.
- Monthly evidence record: the same checks run for the monthly compliance record via the internal admin console. The admin page records each run and remains due until a passing monthly run is recorded. Production execution requires a scoped GitHub token with access to Dependabot alerts and repository contents.
- Authenticated DAST release smoke: a read-only authenticated dynamic scan runs against the configured release-candidate origin before material releases. The manual security workflow can run the same control after bootstrapping a scanner-safe authenticated session. Reports are archived as internal evidence or as GitHub workflow artifacts.
- External baseline DAST: the security workflow runs an unauthenticated OWASP ZAP baseline scan against the public web target on the weekly schedule and on manual dispatch. Reports are archived as GitHub workflow artifacts and retained in internal audit evidence when used for HECVAT support.
- Unresolved issue documentation: scheduled patch-verification reports automatically document unresolved dependency-update, vulnerability-alert SLA, dependency-audit, and SBOM-currency findings when a check fails. If remediation cannot be completed within SLA, the unresolved risk must also be handled through the exception process below.
Current Release Status
The current release audit reports no unresolved high or critical npm audit findings in either the application lockfile or the Firebase Functions lockfile. Historical remediation evidence is tracked in internal audit records rather than repeated in customer-facing answers once addressed.
The latest archived patch-verification run passed on 2026-05-15, including current-checkout high/critical npm audit checks, Dependabot PR age, high/critical Dependabot alert backlog, high/critical alert SLA, and SBOM freshness checks. Medium and low dependency alerts remain within the normal patch-management cadence.
The latest archived external ZAP baseline run reports no high-risk alerts. Medium and low findings are triaged under the SLA table above.
Scope
- First-party code (application + infrastructure-as-config)
- Direct and transitive npm dependencies
- Vercel platform (managed; patched by Vercel)
- Firebase / GCP services (managed; patched by Google)
- Docker images used in CI (patched on Node release)
Major-change dependency support review
For each major product, security, platform, or integration change, the Security Officer reviews required third-party libraries, SDKs, runtime versions, and managed-service integrations for continued vendor support before production release. Unsupported or end-of-life dependencies must be upgraded, replaced, removed from release scope, or covered by a documented time-bound exception with compensating controls.
Platform-level patching
- Vercel patches the Node runtime minor and patch releases for the selected major version; we confirm the selected major version is currently supported. (We are currently on Node 22, which Vercel lists as an available runtime.)
- Firebase/GCP managed services are patched by Google under the cloud shared-responsibility model; HiringCoachAI is responsible for application dependencies, configuration, IAM, and data controls.
- Provider update monitoring: the Security Officer reviews the Vercel Status RSS feed, Vercel Security Bulletins page, Firebase release notes, and Google Cloud Security Bulletins XML feed during patch review. Email/RSS subscription evidence is maintained outside source control and is not used as a public claim unless confirmed.
Exception handling
If a patch cannot be applied within SLA (e.g., breaking API change): 1. Compensating control implemented (WAF rule, disabled feature, input filter) 2. Exception logged in the internal exceptions register with expiry date 3. Approval by the Security Officer required
Verification
Monthly internal audit confirms (via the automated patch-verification runner):
- No unresolved Dependabot PRs older than 30 days
- No current-checkout high or critical npm audit findings in the application and Firebase Functions lockfiles
- No open high or critical GitHub Dependabot alerts past SLA
- Latest source-controlled CycloneDX SBOM is present and its dependency-input fingerprint matches the current package lockfile and package dependency fields
- Material releases have an archived authenticated DAST smoke report with critical and high findings remediated or covered by a time-bound exception before release
Related
- Vendor risk management: third-party security posture tracking
- Change management: emergency change procedure