Trust

Vulnerability Management Policy

Last reviewed May 24, 2026.

Bella identifies vulnerabilities in its own code and in the open-source dependencies it relies on, prioritises them by exploitability and customer impact, and remediates them on documented timelines.

1. Sources

  • Dependency advisories — the package manager's audit feed (e.g., npm audit, pip-audit) is reviewed on every dependency update and at least weekly.
  • Vendor advisories — security advisories from Cloudflare, GCP, PostgreSQL, Node.js, and other foundational components are tracked and triaged.
  • Pre-commit secret scanning — every commit is scanned for accidental introduction of credentials. Detected secrets block the commit.
  • Static analysis — lint and type-check gates catch a meaningful class of defects (unsanitized inputs, unreachable error handlers, unsafe casts) before merge.
  • Provider-side controls — Cloudflare's managed WAF and rate limiting block exploit attempts at the edge.
  • Inbound reports — vulnerability disclosures from researchers and customers reach [email protected].

2. Severity and remediation timelines

  • Critical (CVSS ≥ 9.0) — remediated within 48 hours of confirmation, or compensating control deployed within 24 hours if remediation requires a non-trivial code change.
  • High (CVSS 7.0–8.9) — remediated within 7 calendar days.
  • Medium (CVSS 4.0–6.9) — remediated within 30 calendar days, or accepted with a documented justification if remediation is impractical.
  • Low (CVSS < 4.0) — addressed in the normal release cadence.
  • Severity is the higher of the CVSS score and Bella's contextual assessment of exploitability and blast radius. A medium-CVSS issue in a path that touches restricted-classification data is treated as a high.

3. Patching

  • Application dependencies — security-relevant updates land on the next deploy if no breaking change exists, or on a fast-follow patch deploy if a breaking change requires triage.
  • Operating system and runtime — OS-level security patches are applied on the provider's standard cadence, with critical advisories accelerated to the same window as application criticals.
  • Provider managed components — managed services (Cloudflare, GCP-managed PostgreSQL backups, managed runtime images) are patched by the provider; Bella tracks provider advisories to confirm patches affecting our use cases land.

4. Penetration testing

A third-party penetration test has not yet been commissioned. This is on the SOC 2 readiness roadmap (see Information Security Policy). In the interim, Bella relies on:

  • Automated dependency scanning with timely review.
  • Pre-commit secret detection.
  • Adversarial code review on every non-trivial code change, including a separate model-driven review pass.
  • Cloudflare's managed WAF and rate limiting.
  • Authentication and authorization tests integrated into CI.

5. Vulnerability disclosure

Bella welcomes coordinated vulnerability disclosure from security researchers. Reports should be sent to [email protected] with the subject prefix [SECURITY]. Bella commits to:

  • Acknowledging receipt within one business day.
  • Triage and initial assessment within five business days.
  • Status updates at meaningful milestones.
  • Not pursuing legal action against researchers acting in good faith.
  • Public credit on the platform status page where the reporter consents, after the issue is remediated.

6. Roles and responsibilities

  • Policy owner — Bella platform engineering lead.
  • Triage — the policy owner triages new advisories at least weekly.
  • Remediation — assigned to a named engineer with the timelines in Section 2.
  • Communication — customer-facing impact is communicated under the Incident Response Policy.

Related: Privacy · Incident Response · Information Security · All policies