Skip to content

Vulnerability & Patch Management Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Vulnerability & Patch Management Policy
Framework Reference: Secure Controls Framework – Vulnerability & Patch Management (VPM)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Vulnerability & Patch Management requirements established by Summit Technology Holdings, LLC (STH). It documents the specific controls, processes, and timelines FRHC uses to identify, rank, remediate, and verify vulnerabilities across FRHC’s Azure, AWS, and Microsoft 365 environments, and FRHC-managed endpoints.


This standard applies to all FRHC systems, applications, cloud workloads, databases, infrastructure, and endpoints. It extends to third-party systems where patching or vulnerability remediation is contractually required of FRHC. All FRHC IT staff and personnel with administrative access to systems are subject to this standard.


3.1 Vulnerability & Patch Management Program

Section titled “3.1 Vulnerability & Patch Management Program”

FRHC participates in the enterprise Vulnerability & Patch Management Program governed by STH. The program covers vulnerability identification, tracking, ranking, remediation, patching, scanning, and penetration testing. FRHC executes program activities in accordance with STH-defined priorities and risk tolerance, and maintains evidence to support enterprise oversight and compliance.

  • Parent Policy Mapping: STH Vulnerability & Patch Management Policy, Section 3.1
  • SCF Mapping: VPM-01 (Vulnerability & Patch Management Program (VPMP))

FRHC maintains a formal process for identifying and tracking vulnerabilities from discovery through remediation. Vulnerability identification leverages automated scanning tools integrated into FRHC’s Azure and AWS environments — including Microsoft Defender for Cloud and AWS Inspector. Vulnerability intelligence is also received from STH’s centralized threat management program and from vendor security advisories. Critical vulnerabilities identified through penetration testing or external security research are incorporated into the remediation process. All discovered vulnerabilities are logged, tracked, and retained for audit and compliance purposes.

  • Parent Policy Mapping: STH Vulnerability & Patch Management Policy, Section 3.2
  • SCF Mapping: VPM-02 (Vulnerability Remediation Process)

FRHC ranks identified vulnerabilities using CVSS scores and business risk criteria, considering exploitability, asset criticality, and the sensitivity of affected systems. Vulnerabilities on systems that process, store, or transmit ePHI or other regulated data receive the highest priority. Ranking determinations are documented and used to drive remediation sequencing and escalation to STH for high or critical findings.

  • Parent Policy Mapping: STH Vulnerability & Patch Management Policy, Section 3.3
  • SCF Mapping: VPM-03 (Vulnerability Ranking)

3.4 Continuous Vulnerability Remediation Activities

Section titled “3.4 Continuous Vulnerability Remediation Activities”

FRHC maintains continuous vulnerability remediation activities to address newly identified threats on an ongoing basis. Remediation is not limited to scheduled patching cycles; FRHC supports emergency out-of-band remediation for zero-day and actively exploited vulnerabilities. Where immediate remediation is not feasible, FRHC implements documented compensating controls — such as configuration hardening, access restrictions, or enhanced monitoring — until full remediation can be completed. Exceptions to remediation timelines require documented risk acceptance approval.

  • Parent Policy Mapping: STH Vulnerability & Patch Management Policy, Section 3.4
  • SCF Mapping: VPM-04 (Continuous Vulnerability Remediation Activities)

FRHC applies security patches and updates for operating systems, applications, and firmware in a timely manner based on risk and criticality. Security patches are applied according to the following risk-based timelines:

  • Critical severity: Within 3 days of patch availability
  • High severity: Within 14 days
  • Medium severity: Within 30 days
  • Low severity: Within 90 days or next scheduled maintenance window

Where staging or test environments are available, patches are tested prior to production deployment to validate stability, compatibility, and security effectiveness. Where no test environment exists, FRHC applies a risk-based approach to patch deployment, including change control approval, peer review, and rollback planning. Patch deployment is coordinated through FRHC’s Change Management process. Centralized patch deployment mechanisms are used wherever feasible to manage and verify patch installation at scale.

  • Parent Policy Mapping: STH Vulnerability & Patch Management Policy, Section 3.5
  • SCF Mapping: VPM-05 (Software & Firmware Patching), VPM-05.1 (Centralized Management of Flaw Remediation Processes)

FRHC conducts routine vulnerability scans across Azure, AWS, Microsoft 365, on-premises infrastructure, and endpoints. Scans are performed on a recurring basis and following significant system or configuration changes. High-risk and internet-facing systems are scanned more frequently than lower-risk assets. FRHC verifies patch deployment effectiveness through follow-up scans confirming vulnerability remediation. IT Security tracks remediation metrics including open vulnerability counts, time-to-remediation, and compliance with patch timelines. Metrics are reviewed periodically and evidence is provided to STH’s Security Team upon request.

  • Parent Policy Mapping: STH Vulnerability & Patch Management Policy, Section 3.6
  • SCF Mapping: VPM-06 (Vulnerability Scanning)

FRHC undergoes periodic independent penetration testing conducted by a qualified third-party firm. Testing covers external-facing IP addresses and public-facing applications. Penetration testing is also performed following significant changes that materially affect the attack surface. Findings are documented, risk-ranked, and tracked through FRHC’s vulnerability remediation process to completion.

  • Parent Policy Mapping: STH Vulnerability & Patch Management Policy, Section 3.7
  • SCF Mapping: VPM-07 (Penetration Testing)

FRHC maintains evidence of vulnerability scan results, patch deployment logs, remediation tracking records, penetration testing reports, and exception documentation. IT Security reviews vulnerability management metrics at least monthly and reports to the CIO on a quarterly basis. Evidence is retained to support SOC 2 Type II audits, HIPAA Security Rule compliance assessments, and STH enterprise oversight.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Vulnerability & Patch Management Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
    • 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
    • 45 CFR §164.308(a)(8) – Evaluation
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC7.1, CC7.2, CC7.3)

Framework Alignment:

  • VPM-01 – Vulnerability & Patch Management Program (VPMP)
  • VPM-02 – Vulnerability Remediation Process
  • VPM-03 – Vulnerability Ranking
  • VPM-04 – Continuous Vulnerability Remediation Activities
  • VPM-05 – Software & Firmware Patching
  • VPM-05.1 – Centralized Management of Flaw Remediation Processes
  • VPM-06 – Vulnerability Scanning
  • VPM-07 – Penetration Testing

RevDescriptionDateApproved
-Policy createdJuly 2021M Machin
1.0Formatting UpdateSeptember 2022WSI
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin
4.1Updated to SCF 2026.1; restructured to align with parent policyApril 2026M Machin

Internal Use Only