IR-06 (02) Vulnerabilities Related To Incidents
Introduction
This document describes how Private Mendix Platform fulfills the IR-06 (02) control.
| Control ID | IR-06 (02) |
|---|---|
| Control category | IR - Incident Response |
| Requirement baseline | IL4 |
| Responsibility and ownership | Mendix - Private Mendix Platform, Mendix - Operator, Customer - Infra |
Control
The organization reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles.
Responsibility
Mendix Responsibility
Mendix is responsible to address and respond to vulnerabilities and security incidents related to Mendix products that are reported to Mendix, in accordance with applicable regulations and following the Mendix security incident and vulnerability response policy.
Customer Responsibility
The customer is responsible for specifying the recipients to whom information system vulnerabilities and security incidents should be reported.
Guidance
Mendix Responsibility
Mendix will respond to information system vulnerabilities and incidents caused by Mendix products and reported to Mendix in compliance with appropriate regulations and in alignment with our security incident and vulnerability response policy.
Customer Responsibility
It is the responsibility of the customer to indicate who should receive reports about information system vulnerabilities and security incidents.
It is the responsibility of the Infra Implementer, App Implementer, Infra Operator, and App Operator to report information system vulnerabilities associated with reported security incidents to whomever the customer indicates.
Proof and Remarks
Details about the Mendix security incident response are available in Section IV of the SOC-2 report in Conveyor.