Vulnerability Management Policy

1. Introduction
This document defines how vulnerabilities in the DeskCamera software are tracked, assessed, and resolved. DeskCamera is an offline, on-premises application that streams screen data locally to NVR/VMS systems. It does not record video or audio and does not collect personal data. An optional connection to cloud infrastructure may occur solely for licensing or update-checking purposes. In no case is any personal data transmitted during such a connection.

2. Purpose
Ensure the security and reliability of DeskCamera by minimizing exposure to known vulnerabilities through structured assessment, remediation, and updates.

3. Scope
Applies to all versions of the DeskCamera software, internal development systems, code repositories, and all third-party components integrated into the software.

4. Governance and Roles
• CTO – Owns the policy and reviews critical vulnerabilities
• Development Team – Responsible for monitoring, assessing, and resolving issues
• Security Lead – Coordinates vulnerability response and external communication (if needed)

5. Vulnerability Identification
• Continuous monitoring of CVE feeds and vendor advisories for dependencies
• Internal code reviews and static analysis tools during development
• Bug reports from customers and ethical researchers via [email protected]

6. Classification and Risk Assessment
• Vulnerabilities are categorized as Emergency, High, Medium, or Low based on CVSS and business impact
• Risk score considers likelihood of exploitation, impact on functionality, and exposure surface

7. Remediation Process
• Emergency/High vulnerabilities addressed within 5 working days
• Security patches integrated into next available release after testing
• Dependencies updated proactively if any known risk emerges

8. Update and Release Process
• Builds are signed using a secure certificate stored on offline USB media
• New installers published to official DeskCamera website
• Customers are notified via the Security Advisories section (if applicable)

9. Customer Responsibilities
• Clients are responsible for downloading and installing updates manually
• DeskCamera cannot push updates or access customer environments, reinforcing the need for clients to follow best security practices

10. Review and Testing
• This policy is reviewed annually by the CTO
• Version control maintained via GitHub
• Vulnerability management practices may be refined following any security incident or advisory

11. Audit Logging and Change Tracking
• All code changes and access history are logged automatically via Azure DevOps Server source control
• Commit history, user activity, and permission changes are recorded in the internal SQL Server database of Azure DevOps Server
• Git commit trails are retained for all versions, and role-based access control ensures traceability
• The audit trail aligns with ISO 27001 and SOC 2 recommendations for secure software development