Observability & Patch Management Policy

1. Purpose

The purpose of this policy is to define Untitled’s approach to identifying, evaluating, and remediating errors, vulnerabilities and applying software patches across its infrastructure and systems.

This policy is intended to ensure that updates are applied in a timely and consistent manner to reduce exposure to known vulnerabilities.

2. Scope

This policy applies to:

• Production infrastructure and systems

• Cloud resources and services (AWS)

• Application dependencies and libraries

• Internal systems and supporting services used in platform operations

3. Patch Management Approach

Untitled follows a risk-based patch management approach, prioritizing remediation based on the severity and potential impact of identified vulnerabilities.

Where possible, Untitled leverages managed cloud services to reduce direct infrastructure patching requirements, relying on AWS-managed controls for underlying system updates.

4. Vulnerability Identification

Untitled identifies vulnerabilities through a combination of:

• Automated vulnerability scanning tools (AWS, Sentry, and auxiliary dependency monitoring tools)

• Monitoring of publicly disclosed vulnerabilities (e.g., CVEs)

• Alerts from infrastructure providers and software vendors

• Internal engineering review and monitoring processes

Identified vulnerabilities are tracked and evaluated based on severity and relevance to Untitled systems.

5. SLAs, Patch Prioritization & Remediation

Patches are applied based on the severity of the associated vulnerability:

• Critical vulnerabilities Addressed as soon as practicable, with prioritization for immediate remediation.

• High severity vulnerabilities Addressed promptly based on risk and exposure.

• Moderate and low severity vulnerabilities Addressed as part of normal maintenance and release cycles.

Issue Management:

When a user or system action triggers an error, Untitled captures details such as which endpoint failed, the error type, and how many times it occurred.

Errors are grouped by HTTP method, endpoint, and error code, and published as issues. Each new issue triggers a notification to an internal Slack channel. Reminders are sent every 24 hours until the issue has been reviewed.

After an issue is corrected, it will be marked as resolved with a note indicating which version includes the fix. Issue fixes are shipped as patch releases, indicated by incrementing the patch version: major.minor.patch (e.g., 1.1.10 → 1.1.11).

The Untitled development team holds a weekly review to ensure low-priority issues are being triaged.

Where immediate patching is not feasible, mitigating controls may be applied to reduce risk until remediation can be completed.

6. Patch Deployment

Patches and updates are deployed through controlled processes, of which include:

• Application updates via CI/CD pipelines

• Infrastructure updates via managed cloud services or deployment workflows

• Dependency updates through version-controlled code changes

All production changes follow established deployment and change management practices, including review and approval where applicable. Issues

Diagram of Issue Remediation Process (Example)

7. Weekly Review Process

Untitled maintains an ongoing process to review and track issues, errors, and vulnerability patch status.

• Issues and patch status is reviewed on a regular basis, no less than weekly

• Open vulnerabilities are evaluated for severity, impact, and required action

• Remediation progress is tracked through internal workflows

This review process ensures continued visibility into outstanding vulnerabilities and supports timely remediation.

8. Exceptions

In cases where a patch cannot be applied within expected timeframes, the following may occur:

• Risk is evaluated and documented internally

• Temporary mitigating controls may be implemented

• Remediation is scheduled for a future release cycle

9. Roles & Responsibilities

• Engineering Team Responsible for identifying, prioritizing, and implementing patches and updates

• Infrastructure / DevOps Responsible for maintaining cloud infrastructure updates and monitoring system-level vulnerabilities

• Leadership Oversight Provides oversight on prioritization and ensures appropriate resourcing for remediation

10. Policy Maintenance

This policy is reviewed periodically on a semi-annual basis and updated as necessary to reflect changes in infrastructure, tooling, or security practices.