<- Legal Center

Vulnerability Management Policy

Last Updated

This Vulnerability Management Policy defines an approach for vulnerability management to reduce system risks and integrate with patch management. From timeto time, Haystack may update this policy and implement different levels of security and privacy controls for different information assets, based on risk and otherconsiderations. This policy is guided by security and privacy requirements specific to Haystack including applicable laws and regulations.

This policy applies to all Haystack assets utilized by personnel acting on behalf of Haystack or accessing its applications, infrastructure, systems or data. All personnel are required to read, accept, and follow all Haystack policies and plans.

Vulnerability and Patch Management Program

Haystack maintains a vulnerability management process that is integrated into the Change Management Process.

Haystack may periodically test the security and privacy posture of its applications and systems through third-party scans and by scanning the information systemsowned and managed by Haystack with internal vulnerability tools.

Haystack also monitors multiple vulnerability alert lists such as (CVE – https://cve.mitre.org/, US-CERT – https://www.us-cert.gov) to get up to date information on the latest vulnerabilities.

Third-Party Penetration and Vulnerability Tests

Haystack schedules third party security assessments and penetration tests at least annually. Haystack periodically performs vulnerability scans.

Identifying Vulnerabilities

Haystack will analyze scans and their reports from third-parties or its own scans for verification and vulnerability impact.

Scoring Vulnerabilities

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard.

Mitigating Vulnerabilities

If remediation is required, the appropriate team member at Haystack will be notified of the requirements to remediate or mitigate the vulnerability and the timeframe of such requirement will depend on the severity of the vulnerability. Such tracking of vulnerabilities must be done through the companies changemanagement tool and in accordance with the Change Management Process.

The information obtained from the vulnerability scanning process will be shared with appropriate personnel throughout the organization on a “need to know” basis to help eliminate similar vulnerabilities in other information systems.

Patching

All system components, software and production environments shall be protected from known vulnerabilities by installing applicable vendor supplied securitypatches. Other patches not designated as critical by the vendor shall be applied on a normal maintenance schedule as defined by normal systems maintenanceand support operating procedures.

System and Non-Company Application Patching

A regular schedule shall be developed for security patching of all Haystack systems and devices. Patching shall include updates to all operating systems and third-party applications.

Most vendors have automated patching procedures for their individual applications. The regular application of critical security patches is reviewed as part ofnormal change management and audit procedures.

Haystack Application Patching

Haystack applications are patched in accordance with the Change Management Policy. Patches deemed to be of a high or critical nature may be rolled out in a compressed schedule as set forth in such policy.

Patching Exceptions

Patches on production systems (e.g. servers and enterprise applications) may require complex testing and installation procedures. In certain cases, risk mitigation rather than patching may be preferable. The risk mitigation alternative selected should be determined through an outage risk to exposure comparison.

Exceptions

Haystack business needs, local situations, laws, and regulations may occasionally call for an exception to this policy or any other Haystack policy. If an exceptionis needed, Haystack management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Haystack policy or procedure may result in disciplinary action, up to and including termination of employment. Haystackreserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Haystackdoes not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

Any personnel who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or hermanager or any other manager of Haystack as soon as possible.

Responsibility, Review, and Audit

Haystack reviews and updates its security and privacy policies and plans to maintain organizational security and privacy objectives and meet regulatoryrequirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.

Mailing Address
1645 Abbot Kinney Suite 202, Venice, CA 90291
Privacy Contact
privacy@haystackteam.com
General Inquiries
hello@haystackteam.com
Legal Contact
legal@haystackteam.com
Haystack
About UsSecurityFounder LetterNewsroomLinkedIn
Product
CommunicationsEventsDirectoryKnowledgeHaystack AIMobile Apps
Features
Universal SearchSecure DeliveryEmergency AlertsFreshness EngineRecognitionGlossary
Solutions
Single Source of TruthEmployee OnboardingFrontline SupportLegacy ReplacementsEmployee EngagementBuilding Culture
Resources
Resource CenterHelp CenterCustomer StoriesRFP BuilderRecorded Demo
Copyright Haystack Team, Inc. 2025
Terms of ServicePrivacy PolicyCookiesGDPR