Common use of Control of Technical Vulnerabilities and Penetration Testing Clause in Contracts

Control of Technical Vulnerabilities and Penetration Testing. Supplier shall perform vulnerability scans at intervals consistent with industry best practices to identify potential technical vulnerabilities based on notification of ZERO day vulnerabilities. Supplier shall subscribe to industry recognized threat monitoring service. Once a potential technical vulnerability has been identified, Supplier shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls. Supplier shall define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required. Supplier shall agree in writing that prior to production the application will undergo vulnerability and source code analysis. Postproduction, Supplier shall perform contractually agreed upon security scans (with the most current signature files) to verify that the system has not been compromised during the testing phase. Supplier shall provide written documentation to UL Solutions of the results of the scans and tests along with a mitigation plan. Supplier shall agree in writing that these vulnerabilities shall be mitigated pursuant to the policies of each Customer entity.

Control of Technical Vulnerabilities and Penetration Testing. Supplier shall perform vulnerability scans at intervals consistent with to industry best practices to identify potential technical vulnerabilities based on notification of ZERO day vulnerabilities. Supplier shall subscribe to industry recognized threat monitoring service. Once a potential technical vulnerability has been identified, Supplier shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls. Supplier shall define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required. Supplier shall agree in writing that prior to production the application will undergo a vulnerability and source code analysis. Postproduction, Supplier shall perform contractually agreed upon security scans (with the most current signature files) to verify that the system has not been compromised during the testing phase. Supplier shall provide written documentation to UL Solutions of the results of the scans and tests along with a mitigation plan. Supplier shall agree in writing that these vulnerabilities shall be mitigated pursuant to the policies of each Customer entity.

Control of Technical Vulnerabilities and Penetration Testing. Supplier shall perform vulnerability scans at intervals consistent with to industry best practices to identify potential technical vulnerabilities based on notification of ZERO zero (0) day vulnerabilities. Supplier shall subscribe to industry recognized threat monitoring service. Once a potential technical vulnerability has been identified, Supplier shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls. Supplier shall define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, tracking and any coordination responsibilities required. Supplier shall agree in writing that prior to production the application will undergo a vulnerability and source code analysis. Postproduction, Supplier shall perform contractually agreed upon security scans (with the most current signature files) to verify that the system has not been compromised during the testing phase. Upon request Supplier shall provide written documentation an executive summary report to UL Solutions Buyer of the results of the scans and tests along with a mitigation plan. Supplier shall agree in writing that these vulnerabilities shall be mitigated pursuant to the policies of each Customer entity.