Common use of Vulnerability Management Clause in Contracts

Vulnerability Management. Supplier is responsible for running its own vulnerability management. In addition, McAfee Enterprise requires daily vulnerability scans performed on all internet facing web sites where McAfee Enterprise has branded content and is the primary site owner or ‘McAfee Enterprise’ is part of the URL. McAfee Enterprise uses the McAfee Enterprise Secure vulnerability scanning solution. Vulnerabilities will be reported to the Supplier for remediation. The Supplier can request information for: vulnerability reports, demonstration of the vulnerabilities (when available) and remediation support. McAfee Enterprise does not charge the Supplier for the McAfee Enterprise Secure scanning service. McAfee Enterprise requires daily access to the reports. Upon identification of security vulnerabilities in a production application, the Supplier must remediate within the following time lines: Critical: 7 days High: 30 days Medium: 90 days Low: 180 days If the security vulnerabilities identified by the McAfee Enterprise vulnerability scanning process have not been addressed in the above timelines, McAfee Enterprise may shut down the web site until the vulnerabilities are remediated. Returning the site to production status requires the site to pass a scan for McAfee Enterprise compliance. McAfee Enterprise considers a web site compliant when McAfee Enterprise security standards are met. McAfee Security will notify Suppliers of each of the McAfee Enterprise security standards not met. Any changes to the architecture or function of a service or data model in the cloud must first be reviewed and approved by McAfee Enterprise. Applications that require physical separation cannot be on a cloud-based service. Cloud vendors are required to have background checks and validation of employees with privileged account access. This includes any third-party vendors that may contract with those vendors and have privileged access as well. Network & Client Security

Vulnerability Management. If Supplier is responsible for running its own vulnerability management. In addition, hosting a public-facing McAfee Enterprise requires website, Supplier shall perform daily vulnerability scans performed on all internet facing web sites where McAfee Enterprise has branded content and content, McAfee Enterprise is the primary site owner or either ‘McAfee’ or ‘McAfee Enterprise’ is part of the URL. McAfee Enterprise uses the McAfee Enterprise Secure vulnerability scanning solution. Vulnerabilities will be reported to the Supplier for remediation. The Supplier can request information for: for vulnerability reports, demonstration of the vulnerabilities (when available) and remediation support. McAfee Enterprise does will not charge the Supplier for the McAfee Enterprise Secure scanning service. McAfee Enterprise requires daily access to the reports. Upon identification of security vulnerabilities in a production application, the Supplier must remediate within the minimal following time lines: (i) Urgent or Critical: 7 , McAfee Enterprise threat rating [5] or [4] must be remediated in 1 to 5 calendar days; (ii) High, McAfee Enterprise threat rating [3] must be remediated within 10 calendar days High: and (iii) Medium, McAfee Enterprise threat rating [2] must be remediated within 30 days Medium: 90 days Low: 180 days calendar days. If the security vulnerabilities identified by the McAfee Enterprise vulnerability scanning process have not been addressed in the above timelines, McAfee Enterprise may shut down the web site until the vulnerabilities are remediated. Returning the site to production status requires the site to pass a scan for McAfee Enterprise compliance. McAfee Enterprise considers a web site compliant when McAfee Enterprise security standards are met. McAfee Security Enterprise will notify Suppliers of each of any time the McAfee Enterprise security standards not met. Any changes to the architecture or function of a service or data model in the cloud must first be reviewed and approved by McAfee Enterprise. Applications that require physical separation cannot be on a cloud-based service. Cloud vendors are required to have background checks and validation of employees with privileged account access. This includes any third-party vendors that may contract with those vendors and have privileged access as well. Network & Client Security.

Vulnerability Management. ▪ Supplier is responsible for running its own vulnerability management. ▪ In addition, McAfee Enterprise requires daily vulnerability scans performed on all internet facing web sites where McAfee Enterprise has branded content and is the primary site owner or ‘McAfee EnterpriseEnterprise ’ is part of the URL. McAfee Enterprise uses the McAfee Enterprise Secure vulnerability scanning solution. Vulnerabilities will be reported to the Supplier for remediation. The Supplier can request information for: vulnerability reports, demonstration of the vulnerabilities (when available) and remediation support. McAfee Enterprise does not charge the Supplier for the McAfee Enterprise Secure scanning service. ▪ McAfee Enterprise requires daily access to the reports. ▪ Upon identification of security vulnerabilities in a production application, the Supplier must remediate within the following time lines: o Critical: 7 days o High: 30 days o Medium: 90 days o Low: 180 days ▪ If the security vulnerabilities identified by the McAfee Enterprise vulnerability scanning process have not been addressed in the above timelines, McAfee Enterprise may shut down the web site until the vulnerabilities are remediated. Returning the site to production status requires the site to pass a scan for McAfee Enterprise compliance. ▪ McAfee Enterprise considers a web site compliant when McAfee Enterprise security standards are met. McAfee Enterprise Security will notify Suppliers of each of the McAfee Enterprise security standards not met. ▪ Any changes to the architecture or function of a service or data model in the cloud must first be reviewed and approved by McAfee EnterpriseEnterprise . ▪ Applications that require physical separation cannot be on a cloud-cloud based service. ▪ Cloud vendors are required to have background checks and validation of employees with privileged account access. This includes any third-party vendors that may contract with those vendors and have privileged access as well. Network & Client Security.

Vulnerability Management. If Supplier is responsible for running its own vulnerability management. In addition, hosting a public-facing McAfee Enterprise requires website, Supplier shall perform daily vulnerability scans performed on all internet facing web sites where McAfee Enterprise has branded content and content, McAfee Enterprise is the primary site owner or ‘McAfee EnterpriseEnterprise ’ is part of the URL. McAfee Enterprise uses the McAfee Enterprise Secure vulnerability scanning solution. Vulnerabilities will be reported to the Supplier for remediation. The Supplier can request information for: for vulnerability reports, demonstration of the vulnerabilities (when available) and remediation support. McAfee Enterprise does will not charge the Supplier for the McAfee Enterprise Secure scanning service. McAfee Enterprise requires daily access to the reports. Upon identification of security vulnerabilities in a production application, the Supplier must remediate within the minimal following time lines: (i) Urgent or Critical: 7 , McAfee Enterprise threat rating [5] or [4] must be remediated in 1 to 5 calendar days; (ii) High, McAfee Enterprise threat rating [3] must be remediated within 10 calendar days High: and (iii) Medium, McAfee Enterprise threat rating [2] must be remediated within 30 days Medium: 90 days Low: 180 days calendar days. If the security vulnerabilities identified by the McAfee Enterprise vulnerability scanning process have not been addressed in the above timelines, McAfee Enterprise may shut down the web site until the vulnerabilities are remediated. Returning the site to production status requires the site to pass a scan for McAfee Enterprise compliance. McAfee Enterprise considers a web site compliant when McAfee Enterprise security standards are met. McAfee Security Enterprise will notify Suppliers of each of any time the McAfee Enterprise security standards not met. Any changes to the architecture or function of a service or data model in the cloud must first be reviewed and approved by McAfee Enterprise. Applications that require physical separation cannot be on a cloud-based service. Cloud vendors are required to have background checks and validation of employees with privileged account access. This includes any third-party vendors that may contract with those vendors and have privileged access as well. Network & Client Security.