1.**Developers:** Develop software and trigger the execution of vulnerability scanning via the CI/CD pipeline.
2.**Scanning Tools:** Detect, classify and provide vulnerability remediation steps.
3.**Vulnerability Report:** Once scanning is performed the vulnerabilities are listed here: [Vulnerability Report · Platform · GitLab (opengroup.org)](https://community.opengroup.org/groups/osdu/platform/-/security/vulnerabilities)
4.**Info Sec Team:** Reviews and manages outstanding vulnerabilities and ensure they are resolved and/or disclosed in a timely manner. They will also provide guidance and clarification on vulnerabilities detected.
5.**Issues:** Info Sec team will assign issues to application support teams to remediate vulnerabilities. When vulnerabilities are detected the following table can be used to assign issues to the appropriate personnel:
| Technology | Lead | Company |
|------------|------|---------|
...
...
@@ -21,7 +25,9 @@
| Policy | Mohammad Malekmakan | EA/DEL/DIGITAL Petronas |
6.**Exception/Acceptance Process:** If a vulnerability can be resolved, but not within the required time frame the exception process must be followed along with vulnerability remediation. If a vulnerability cannot be resolved the acceptance process must be followed and no further remediation will be required. Note: The following steps are only required if a vulnerability can be remediated.
7.**Remediate Vulnerability:** Developers will remediate vulnerabilities by performing the following steps:
7\.1. Update software and/or dependencies based on recommendations
