Vulnerability Management

How we identify, triage, and remediate security vulnerabilities.

Multi-Layered Identification

Future AGI employs a defense-in-depth approach to vulnerability discovery, combining automated tooling with human expertise to ensure comprehensive coverage across our entire attack surface.

Automated Scanning

  • Static Application Security Testing (SAST) via GitHub CodeQL runs on every pull request, identifying vulnerabilities in first-party code before it reaches production
  • Dependency scanning via Snyk continuously monitors all third-party libraries and container images for known CVEs, with automated pull requests for remediation
  • Infrastructure scanning evaluates cloud configuration against CIS benchmarks, flagging misconfigurations in real time

Manual and External Testing

  • External penetration tests are conducted at least annually by an independent, qualified third-party firm, with additional ad-hoc tests following major architectural changes
  • Internal security reviews are performed for all high-risk features, including threat modeling during design and security-focused code review during implementation
  • Responsible disclosure program provides a documented channel for external researchers to report vulnerabilities securely (see our Responsible Disclosure Policy)

Triage and Remediation

All identified vulnerabilities are assessed using CVSS scoring and triaged against the following severity-based SLAs:

SeverityCVSS RangeRemediation SLA
Critical9.0 — 10.024 hours
High7.0 — 8.97 days
Medium4.0 — 6.930 days
Low0.1 — 3.990 days

Each vulnerability is assigned an owner, tracked in our security issue tracker, and reviewed in weekly security stand-ups until resolved. Remediation may include patching, configuration changes, compensating controls, or risk acceptance with documented justification approved by the security lead.

Compliance Alignment

Our vulnerability management program satisfies the requirements of:

  • SOC 2 Type II — Vulnerability management controls are audited annually as part of the Security trust service criterion
  • ISO 27001 — Aligned with Annex A.12.6 (Technical Vulnerability Management) and A.14.2 (Security in Development and Support Processes)

Vulnerability scan results and remediation evidence are retained for audit purposes and are available to customers upon request under NDA.

Questions?

Reach out to our security team.

security@futureagi.com

Request documents

SOC 2 report, DPA, pen test summary.

Request documents →