BlueprintBLUEPRINT

Vulnerability Management Policy

Last updated: April 1, 2026

Blueprint Finance LLC, doing business as Blueprint AI ("Blueprint"), maintains a vulnerability management program to identify, assess, prioritize, and remediate security vulnerabilities across our systems, applications, and dependencies. This policy defines our patching SLAs and ongoing monitoring practices.

1. Scope

This policy applies to all Blueprint production systems, web and mobile applications, third-party dependencies, and infrastructure components including cloud services, APIs, and development tooling.

2. Vulnerability Identification

Blueprint identifies vulnerabilities through the following methods:

  • Dependency scanningnpm audit run on every build and prior to every production deployment to detect known vulnerabilities in third-party packages
  • Security advisories — Active monitoring of GitHub Dependabot alerts, CVE databases, and security advisories for all frameworks in use (Next.js, Expo, NestJS, Supabase)
  • Code review — Security-focused code review prior to merging changes that affect authentication, data access, or payment flows
  • OWASP Top 10 — Periodic review of all application surfaces against the OWASP Top 10 vulnerability categories
  • Third-party notifications — Security notifications from Vercel, Supabase, Plaid, Stripe, and other service providers

3. Vulnerability Severity Classification

Identified vulnerabilities are classified by severity using the Common Vulnerability Scoring System (CVSS):

Critical (9.0–10.0)
Active exploitation or imminent risk to consumer financial data, authentication systems, or payment processing
High (7.0–8.9)
Significant risk with potential for unauthorized data access, privilege escalation, or service disruption
Medium (4.0–6.9)
Moderate risk that may be exploited under specific conditions with limited impact
Low (0.1–3.9)
Minimal risk with little or no impact on confidentiality, integrity, or availability

4. Patching SLA (Service Level Agreement)

Blueprint commits to remediating identified vulnerabilities within the following timeframes from the date of identification:

Critical
24 hours — Immediate escalation; emergency patch or mitigation deployed within 24 hours
High
7 days — Patch or compensating control deployed within 7 days
Medium
30 days — Patch applied within the next scheduled maintenance cycle, not to exceed 30 days
Low
90 days — Addressed in the next planned release cycle

5. End-of-Life (EOL) Software Management

Blueprint actively monitors and manages end-of-life software across all systems:

  • Runtime monitoring — Node.js, React Native/Expo, and all runtimes are maintained on actively supported LTS versions. EOL versions are upgraded within 30 days of the official EOL date
  • Framework tracking — Next.js, NestJS, and Expo SDK versions are tracked against their official support schedules. Upgrades are planned in advance of EOL dates
  • Dependency review — Third-party npm packages are reviewed quarterly for EOL status, abandonment, or lack of security support
  • Cloud infrastructure — Infrastructure managed by Vercel and Supabase is maintained by those providers on supported versions; Blueprint monitors provider announcements for deprecation notices
  • Policy review — EOL management practices are reviewed and updated at least annually

6. De-provisioning and Access Termination

Blueprint maintains automated and procedural controls to ensure access is promptly revoked when no longer needed:

  • Upon termination or role change, access to all systems (Supabase, Vercel, GitHub, Stripe, Plaid, cloud services) is revoked within 24 hours
  • API keys and secrets held by departing personnel are rotated immediately
  • OAuth tokens and service credentials are invalidated upon departure
  • A de-provisioning checklist is completed and documented for each access termination event
  • Third-party integrations are reviewed upon any personnel change to ensure no residual access remains

7. Zero Trust Architecture

Blueprint's infrastructure is built on zero trust principles — no implicit trust is granted based on network location or prior authentication:

  • Every API request is authenticated and authorized independently, regardless of origin
  • Row-level security (RLS) enforced at the database layer — no request can access data without explicit authorization
  • Service credentials are scoped to the minimum permissions required and are never shared across services
  • All inter-service communication is encrypted in transit via TLS 1.2+
  • Production secrets are stored in encrypted secrets management systems and never embedded in code

8. Policy Review

This policy is reviewed at least annually. All identified vulnerabilities and remediation actions are tracked and documented. For questions, contact us at blueprintappai@outlook.com.

© 2026 Blueprint Finance LLC. All rights reserved.

Affiliate PartnersAI DisclaimerFulfillment PolicyPrivacy PolicySocial Media DisclaimerSubscription TermsTerms & ConditionsTestimonials PolicyInformation SecurityAccess ControlsData RetentionVulnerability Management