# Vulnerability management ## Vulnerability assessment Union.ai's vulnerability management program includes dependency analysis and automated CVE alerts for software dependencies, container image scanning for platform and customer-facing components, and periodic third-party penetration testing. ## Patch management Union.ai follows a risk-based approach to patching. Critical vulnerabilities (CVSS 9.0+) are prioritized for immediate remediation. High-severity vulnerabilities are addressed within defined SLA windows. The control plane is updated independently of customer data planes, so security patches can be applied without customer-side changes. In self-managed deployments, the customer handles data plane patching. In BYOC deployments, Union.ai manages data plane patching on the customer's behalf. ## Incident response Union.ai maintains documented incident response procedures aligned with SOC 2 Type II requirements, including defined escalation paths, communication protocols, containment procedures, and post-incident review processes. The control plane's stateless handling of customer data limits the potential impact of any control plane incident. See [Two-plane separation](https://www.union.ai/docs/v2/union/security/compliance/architecture/two-plane-separation) for details. ## Third-party dependency risk Union.ai relies on a small number of critical and operational dependencies, each with specific mitigations. | Dependency | Tier | Role | Mitigation | |---|---|---|---| | Cloudflare | Critical | Cross-plane connectivity (Tunnel and gRPC ingress) | mTLS, outbound-only, health monitoring, auto-reconnection | | AWS (control plane) | Critical | CP infrastructure | Multi-AZ, automated failover, encryption at rest and in transit | | Customer cloud provider | Critical | DP infrastructure | Customer-managed; Union.ai provides guidance and tooling | | Vanta | Operational | Compliance monitoring | Independent SOC 2 audit validates controls | | Okta | Operational | OIDC authentication | Standard OAuth2/OIDC; API keys and service accounts as fallback | The vendor management program is covered under SOC 2 Type II with periodic evaluation. A formal dependency risk assessment is available upon request. In self-managed deployments, the customer owns all data plane dependencies. In BYOC deployments, Union.ai assumes cluster-level dependency risk. ## Verification ### Vulnerability management **Reviewer focus:** Confirm that Union.ai has an active vulnerability management program with defined SLAs and that third-party dependencies are evaluated and monitored. **How to verify:** 1. The SOC 2 Type II report and [Trust Center](https://trust.union.ai) cover vulnerability management and vendor assessment controls. 2. Penetration test results are available on request. This is audit-only verification. --- **Source**: https://github.com/unionai/unionai-docs/blob/main/content/security/compliance/vulnerability-management.md **HTML**: https://www.union.ai/docs/v2/union/security/compliance/vulnerability-management/