Vulnerability Disclosure
Vulnerability Management
At SONAR CMS Ltd, we take the security of our systems, applications, and data seriously. Our Vulnerability Management Policy sets out a structured, risk-based approach for identifying, assessing, prioritising, remediating, and tracking vulnerabilities across our cloud-hosted applications and supporting systems.
Our Approach
We identify vulnerabilities through a combination of automated cloud-native scanning tools, monitoring of public vulnerability sources such as the National Vulnerability Database, vendor advisories, internal testing, and external reports submitted through our vulnerability disclosure process.
Each vulnerability is assessed using CVSS scoring and prioritised based on severity, asset criticality, exploitability, and business impact.
Remediation and Governance
All vulnerabilities are logged, assigned an owner, validated where applicable, remediated or mitigated, tested, deployed through controlled release processes, and verified through re-testing or rescanning.
Where remediation cannot be completed within the required timeframe, exceptions must be formally documented, risk-assessed, approved, time-bound, and reviewed regularly.
Continuous Improvement
We monitor key metrics including open vulnerabilities by severity, SLA compliance, mean time to remediate, and recurring vulnerability types. These insights help us improve our processes, strengthen our security posture, and reduce risk over time.
Policy Alignment
Our vulnerability management approach aligns with recognised industry best practice and standards, including ISO/IEC 27001 and guidance from the National Institute of Standards and Technology.
Contact
To report a security vulnerability or request further information about our vulnerability management approach, please contact SONAR CMS Ltd through our usual support or contact channels or by emailing reportvulnerabilities@sonarcms.co.uk.
Last Reviewed: April 2026
Next Review: April 2027