Infrastructure and network security

Application infrastructureAccess controlsVulnerability management
Scanning and detectionSeverity and timingRemediation process
Penetration testingIntrusion detection and preventionLogging and monitoringLogical separationIncident responseVulnerability disclosureSoftware development life cycle
More articles
Help homeSecurityInfrastructure and network security

Vulnerability management

Dovetail has vulnerability management policies and procedures in place to describe how we monitor for new vulnerabilities, enforce timelines and processes for remediation.

Scanning and detection

Dovetail utilizes a number of services to perform internal vulnerability scanning and package monitoring on a continuous basis.


Dovetail employs automated and integrated security scans of the web application through Detectify. Automated scans occur at least daily and any detected vulnerabilities immediately notify the engineering team.

Security advisories

Dovetail subscribes to GitHub's security alerts program. If GitHub detects a vulnerability from the GitHub Advisory Database or WhiteSource in one of the web application's dependencies, the engineering team is notified.


Dovetail utilizes Kandji for fleet management and endpoint security. Kandji automatically configures employee hardware in accordance with our asset management policy.

Image scanning

Dovetail utilizes Amazon ECR image scanning to identify vulnerabilities in container images. Amazon ECR image scanning uses the Common Vulnerabilities and Exposures (CVEs) from the open-source Clair project to scan and alert on known container vulnerabilities.


Dovetail utilizes Vanta to scan and monitor for package vulnerabilities. Vanta enforces compliance with vulnerability SLAs based on severity.

Severity and timing

Dovetail defines the severity of an issue via industry-recognized Common Vulnerability Scoring System (CVSS) scores, which all modern scanning and continuous monitoring systems utilize. The CVSS provides a way to capture the characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Low Severity - 0.1 - 3.9

Low severity vulnerabilities are likely to have very little impact on the business, perhaps because they require local system access.

Medium Severity - 4.0 - 6.9

Medium severity vulnerabilities usually require the same local network or user privileges to be exploited.

High Severity - 7.0 - 8.9

High severity vulnerabilities are typically difficult to exploit but could result in escalated privileges, significant data loss, and/or downtime.

Critical Severity - 9.0 - 10.0

Critical severity vulnerabilities likely lead to root level compromise of servers, applications, and other infrastructure components. If a critical vulnerability cannot be addressed within timelines as defined, an incident response ticket will be opened, documenting what interim remediation has been made.

Remediation process

When a vulnerability is detected and verified, the engineering team will remediate vulnerabilities within the SLA depending on the severity. Compliance of vulnerability SLAs is enforced via Vanta and tracked using Clubhouse.

Was this article useful?

Related articles


Penetration testing


Bradley Ayers

Co-founder / CTO

Article info

Last updated 16 June 2022
3 min read

Get help

Can’t find what you’re looking for? Search through our articles or contact our support team and get a response within 24 hours.

Get help
Get started, free forever

Start free
A few of our customers

See more customers →