1. Purpose

This policy defines the framework and responsibilities for identifying, assessing, prioritizing, and mitigating security vulnerabilities across Marfeel’s systems and infrastructure. It reflects our established internal practices and aims to ensure that vulnerabilities are handled in a consistent, timely, and risk-based manner, while complying with regulatory obligations and maintaining operational integrity.

2. Identification of Vulnerabilities

Marfeel identifies security vulnerabilities through a combination of passive and active methods. Passive identification includes reports submitted via responsible disclosure channels, including ethical hacking practices. Active identification methods include external vulnerability scans conducted periodically by trusted third-party partners. Additionally, internal security assessments, code reviews, and monitoring performed by the Systems and Engineering teams help detect configuration flaws or software weaknesses. Our cloud infrastructure providers also run their own vulnerability scanning and patching protocols, contributing to the overall detection coverage.

3. Frequency of Scanning

Marfeel ensures that external vulnerability scans are conducted at least annually. In addition to this, internal code-level reviews and continuous monitoring are integrated into the DevOps pipeline. These reviews are conducted routinely and are triggered automatically as part of our secure development lifecycle. Security validations are also performed following any significant change to the infrastructure or deployed software, such as major updates or new feature releases.

4. Reporting and Notification Process

Upon identifying a vulnerability, it is immediately reported to the Director of SysOps, who is currently Joan Tomàs. The issue is then logged and assessed by the technical team in collaboration with relevant stakeholders, including the CTO and the legal and privacy teams where appropriate. If the vulnerability poses a significant risk or involves personal data, it is escalated according to internal procedures. Marfeel has processes in place to determine whether client or regulatory notifications are required, consistent with data protection regulations.

5. Risk Classification and Severity Assessment

Risk classification is based on several factors, including the likelihood of exploitation, the sensitivity of the data affected, and the potential impact on business operations. Vulnerabilities are assessed using the CVSS (Common Vulnerability Scoring System) version 3 framework and, where relevant, aligned with recommendations from regulatory bodies such as the Spanish Data Protection Agency (AEPD). This structured approach ensures that each vulnerability is prioritized and addressed appropriately based on its assessed risk.

6. Remediation Process

Once a vulnerability is confirmed, remediation steps may include patching software, adjusting system configurations, or updating source code. Changes are reviewed and tested in staging environments prior to deployment. Following implementation, the fix is validated to ensure the issue has been resolved. High-risk vulnerabilities are targeted for resolution within 72 hours. The resolution process is documented, and all activities are tracked to maintain accountability and traceability.

7. Documentation and Tracking

All identified vulnerabilities are documented and tracked within internal logs. The documentation includes a description of the issue, the detection date, mitigation actions, personnel involved, and resolution timeline. These records support auditability and are reviewed during periodic security evaluations. Change management practices are coordinated under the Director of SysOps’ oversight, ensuring consistency in the response process.

8. Responsibility

The responsibility for vulnerability management at Marfeel lies with the Director of SysOps, who oversees the process and ensures that the relevant technical teams carry out the necessary assessments and remediations. The Legal and Privacy teams provide support to ensure any regulatory requirements related to data protection are met. Each department is expected to contribute to maintaining the effectiveness of this policy by adhering to the roles defined in the incident and security protocols.