Vulnerability Management

How BttrForm identifies, prioritizes, and remedies security vulnerabilities through scanning, testing, and responsible disclosure.

7 min read

Vulnerabilities are an inevitable reality of software development. New CVEs are published daily, dependencies introduce risks, and application code can contain flaws. What matters is having a systematic process to find, prioritize, and fix vulnerabilities before they can be exploited. This article describes BttrForm's vulnerability management program.

Dependency Scanning

BttrForm's codebase depends on hundreds of open-source packages. Each dependency is a potential source of vulnerabilities. We run automated dependency scanning to catch known issues as early as possible.

Automated Daily Scans

  • Dependabot monitors all package.json files across the monorepo and automatically opens pull requests when vulnerable dependencies are detected.
  • Snyk provides a second layer of scanning with deeper analysis, including transitive dependency vulnerabilities that Dependabot may miss.
  • Scans run daily against the latest vulnerability databases (NVD, GitHub Advisory Database, Snyk Vulnerability DB).

How We Handle Findings

1. Vulnerability detected in dependency
2. Severity assessed (Critical / High / Medium / Low)
3. Automated PR created with patched version (if available)
4. Engineering reviews PR for compatibility
5. PR merged and deployed according to patch SLA
6. If no patch available, mitigation applied (WAF rule, code workaround)

Transitive Dependencies

A direct dependency may be safe, but one of its dependencies may not be. BttrForm scans the entire dependency tree, not just top-level packages, to catch vulnerabilities in transitive dependencies.

Penetration Testing

Automated scanning catches known vulnerabilities, but it cannot find business logic flaws, complex attack chains, or novel vulnerabilities. BttrForm engages third-party security firms to conduct penetration tests.

Testing Schedule

Test TypeFrequencyScope
Full application penetration testAnnuallyAll endpoints, authentication, authorization, data handling
API security assessmentAnnuallyREST API, webhook endpoints, file upload handling
Infrastructure assessmentAnnuallyNetwork configuration, cloud security, container security
Targeted assessmentAs neededNew features, major architectural changes

What Pen Testers Evaluate

  • Authentication and session management -- Can an attacker bypass login, hijack sessions, or escalate privileges?
  • Authorization and access control -- Can a user access another user's data through API manipulation or parameter tampering?
  • Input validation -- Are forms, APIs, and file uploads vulnerable to injection attacks (SQL, XSS, command injection)?
  • Business logic -- Can an attacker manipulate workflows, bypass billing, or abuse features in unintended ways?
  • Infrastructure -- Are servers, databases, and network configurations hardened against attack?

Remediation

All findings from penetration tests are triaged, prioritized, and fixed according to the CVE patch SLAs described below. Critical and high findings are addressed before the penetration test report is finalized.

Reports Available on Request

Enterprise customers can request a summary of the most recent penetration test results. Contact your account manager or email security@bttrlabs.com.

CVE Patch SLAs

BttrForm maintains strict Service Level Agreements for patching known vulnerabilities, measured from the time a vulnerability is confirmed to affect our systems.

SeverityCVSS ScorePatch DeadlineExamples
Critical9.0 -- 10.024 hoursRemote code execution, authentication bypass, SQL injection
High7.0 -- 8.972 hoursPrivilege escalation, significant data exposure, XSS with high impact
Medium4.0 -- 6.97 daysLimited data exposure, denial of service, low-impact XSS
Low0.1 -- 3.930 daysInformation disclosure with minimal impact, cosmetic security issues

Patch Process

  1. Confirm applicability -- Verify the CVE affects BttrForm's specific configuration and usage of the component.
  2. Assess impact -- Determine the real-world risk in BttrForm's context (a critical CVE in an unused feature may be lower priority).
  3. Apply patch -- Update the affected dependency or apply a code fix.
  4. Test -- Run the full test suite, including security-specific tests, to verify the patch does not break functionality.
  5. Deploy -- Push the fix to production within the SLA window.
  6. Verify -- Confirm the vulnerability is no longer exploitable in the production environment.

Zero-Day Vulnerabilities

For zero-day vulnerabilities with active exploitation (CVE published with no patch available), BttrForm implements immediate mitigations such as WAF rules, feature disabling, or traffic filtering while waiting for an upstream patch.

Responsible Disclosure Program

BttrForm welcomes reports from security researchers who discover vulnerabilities in our platform. We operate a responsible disclosure program to ensure vulnerabilities are reported safely and fixed promptly.

How to Report a Vulnerability

Send your report to security@bttrlabs.com with the following information:

  • Description of the vulnerability
  • Steps to reproduce (including URLs, parameters, and payloads)
  • Impact assessment (what an attacker could achieve)
  • Screenshots or proof-of-concept code (if applicable)
  • Your contact information for follow-up

Scope

The following are in scope for our responsible disclosure program:

  • BttrForm web application (app.bttrform.com)
  • BttrForm API (api.bttrform.com)
  • BttrForm marketing site (bttrform.com)
  • BttrForm embed widget
  • Authentication and session management
  • Data access and authorization

The following are out of scope:

  • Social engineering attacks against BttrForm employees
  • Physical security of BttrForm offices or data centers
  • Denial of service (DoS/DDoS) attacks
  • Vulnerabilities in third-party services that BttrForm integrates with
  • Issues that require unlikely user interaction (e.g., self-XSS)

Our Commitments

  • Acknowledgment within 2 business days of receiving your report.
  • Triage and assessment within 5 business days.
  • Status updates at least every 10 business days until resolution.
  • No legal action against researchers acting in good faith within the scope of this program.
  • Credit in our security acknowledgments page (if you wish).

Rewards

BttrForm offers rewards for qualifying vulnerability reports based on severity:

SeverityReward Range
Critical$500 -- $2,000
High$200 -- $500
Medium$50 -- $200
LowRecognition

Reward amounts depend on the quality of the report, the impact of the vulnerability, and whether it is a duplicate of a known issue.

Security Headers

BttrForm configures HTTP security headers on all responses to protect against common web attacks.

HeaderValuePurpose
Content-Security-PolicyStrict policy limiting script and resource originsPrevents XSS and data injection
Strict-Transport-Securitymax-age=31536000; includeSubDomainsForces HTTPS for all connections
X-Content-Type-OptionsnosniffPrevents MIME type sniffing
X-Frame-OptionsDENYPrevents clickjacking via iframes
X-XSS-Protection0 (disabled, CSP preferred)Legacy header, CSP provides better protection
Referrer-Policystrict-origin-when-cross-originLimits referrer information leakage
Permissions-PolicyRestricts camera, microphone, geolocationLimits browser feature access

Verifying Headers

You can inspect BttrForm's security headers using browser developer tools (Network tab) or by running curl -I https://app.bttrform.com to see the response headers.

Infrastructure Security

BttrForm's infrastructure is designed with defense in depth -- multiple overlapping layers of security so that no single failure compromises the system.

Network Architecture

  • Private subnets -- Database servers and internal services run in private subnets with no direct internet access. Only application servers in public subnets can reach them.
  • Firewall rules -- Network security groups restrict traffic to only the ports and protocols required for each service.
  • VPN access -- Administrative access to infrastructure requires VPN connection with multi-factor authentication.

Web Application Firewall (WAF)

A WAF sits in front of all BttrForm endpoints and filters malicious traffic:

  • SQL injection attempt detection and blocking
  • Cross-site scripting (XSS) payload filtering
  • Path traversal attack prevention
  • Rate limiting on authentication endpoints
  • Geographic blocking (configurable per customer on Enterprise plans)

DDoS Protection

  • Layer 3/4 protection -- Network-level DDoS mitigation provided by our cloud infrastructure, capable of absorbing volumetric attacks.
  • Layer 7 protection -- Application-level rate limiting and traffic analysis to detect and mitigate sophisticated application-layer attacks.
  • Auto-scaling -- Infrastructure automatically scales to handle traffic spikes, whether legitimate or malicious.

Uptime

BttrForm maintains a 99.9% uptime SLA for Business and Enterprise plans. Our infrastructure is designed to remain available even during active DDoS attacks. Current uptime statistics are published on our status page.

Was this helpful?

Vulnerability Management | BttrForm