Below are the terms that make up the Patch Management for Custom Software Solution Schedule. This document was last updated on 24th October 2022 at 12:00 PM Melbourne Time.

  1. How this Software Solutions Schedule works
    1. MSA: This is a Solutions Schedule under the MSA between Vokke and the Client identified in a SOW. The provisions of the MSA, including any and all amendments and variations to it as may be agreed on from time to time, will be incorporated into this Solutions Schedule by reference as if written out here in full. All defined terms used in this Solutions Schedule will have the same meaning as that given in the MSA. All terms of the MSA apply to this Solutions Schedule unless explicitly superseded. Where conflict exists between this Solutions Schedule and the remaining documents forming the MSA, the MSA will determine the precedence.
  2. Definitions
    (a) ‘Approved Sources’ means security bulletins coming from AusCERT at https://www.auscert.org.au and at Vokke’s discretion, other threat intelligence sources.
    (b) ‘AusCERT’ means the not-for-profit cyber emergency response team based in Australia as described at https://auscert.org.au/.
    (c) ‘Checking Schedule’ means at least once every 3 (three) days.
    (d) ‘Common Vulnerability Score System’ or CVSS means the Common Vulnerability Score System as set out on https://www.first.org/cvss/
    (e) ‘Patch Management Services’ means (1) the periodic checking of security bulletins published by Approved Sources on the agreed Checking Schedule for Vulnerabilities that may be present in a System Element, and (2) responding to alerts that may enter our emergency warning alert system (EWAS).
    (f) ‘Security incident’ means a verified data exfiltration, intrusion or exploitation attempt on a given System Element.
    (g) ‘System Element’ includes any services, systems, components, libraries or source code contained or within a custom software solution, as specified in the SOW.
    (h) ‘Vulnerability’ means a weakness of a System Element that can be exploited by one or more proven threats.
    (i) ‘Client Information’ means the data, information and materials as reasonably required by Vokke to assist in developing the Services.
  3. Client Information
    1. The Client must supply the Client Information to Vokke as soon as practicable after the Start Date of the SOW, together with such other information as Vokke reasonably requires in order to perform the Services. The Client must only supply dummy data or copies of the Client’s Information and must not supply access to any Client Information where the modification or loss of such Client Information may adversely affect the Client.
    2. Vokke is under no obligation to perform the Services unless and until the Client Information is received and is in a suitable state to enable Vokke to provide the Services.
    3. Risk and title in the physical items forming part of the Client Information remains with the Client at all times. While Vokke will take reasonable care to prevent physical items forming part of the Client Information in its possession from loss, theft or destruction, Vokke accepts no responsibility in relation to the Client Information.
  4. Supply of Services and Deliverables
    1. The Client acknowledges that due to the nature of the Services, Vokke cannot guarantee timely performance. Vokke will notify and consult with the Client in the event of any material delays or technical difficulties in performing the Services.
    2. The Client acknowledges and agrees that in order to provide the Services Vokke will in its sole discretion choose the languages, frameworks, tools, technologies, patterns and processes to be used in delivering the Service.
  5. The Service
    1. For any vulnerabilities identified from the Patch Management Services (Vulnerabilities), Vokke agrees to:
      1. Assess the Vulnerability and determine its impact to the System Element in question. If the Vulnerability has a value of 4 (four) or greater, Vokke will adopt the Patch Implementation Process;
      2. If a CVSS score is not present for the given Vulnerability, Vokke will use their best assessment to determine the severity and risk of the Vulnerability, and may, at their discretion, adopt the Patch Implementation Process; and
      3. Record the outcome of any assessments undertaken.
    2. Patch Management Process
      1. Given an identified Vulnerability within a System Element, Vokke will attempt to remediate the Vulnerability by making code modifications, deploying a patch, deploying a virtual patch or making a configuration change; unless:
        1. Significant re-engineering, quality assurance testing or functional redesign is required. If this is the case, a quote may be provided by Vokke to the Client, which, upon acceptance by the Client, will result in the patch being implemented.
        2. The Vulnerability exists within a 3rd party system whereby:
          1. The 3rd party themselves have not released a patch; and
          2. Vokke is unable to remediate the Vulnerability by bypassing or disabling certain functionality within the given 3rd party system.
      2. While remediating a given Vulnerability, Vokke will assign an internal designated security assessor (DSA) to oversee the remediation attempt and the DSA will keep the Client informed throughout this process.
      3. Further, the Client agrees that:
        1. The delivery of the Patch Management Services, including the retrieval of security bulletins or adherence to the Checking Schedule depends on the availability of AusCERT. The Client agrees that Vokke will not be held responsible if information cannot be retrieved in a timely manner from AusCERT;
        2. The delivery of the Patch Management Services may be impeded if a system outage, infrastructure issue, upgrade, or software bug renders the system inoperable, and that during such an event, the delivery of Patch Management Services may be temporarily limited or impaired; and
        3. No service level objective (SLO) or service level agreement (SLA) will apply for the duration in which it takes to remediate a given Vulnerability. Due to the nature of Vulnerabilities, all remediation attempts will be done according to a best-effort schedule as managed by Vokke.
  6. Exclusions and Coverage
    1. The Patch Management Services are not applied retrospectively. That is, only Vulnerabilities identified through the Approved Sources that have been issued after the signing of this Solution Schedule will be considered for remediation.
    2. This Solution Schedule outlines the provisioning of various managed security Services on behalf of the Client by Vokke. The Client understands that any security activities not listed in this Solution Schedule are expressly out of scope and as such, other security controls may be required by the Client to fully manage their security exposure. The Client understands that such additional controls are their responsibility. Further, the Client understands that not all exploits and vulnerabilities may be identified in the Approved Sources.
  7. Use of Deliverables
    1. The Client must use the Deliverables solely for the Permitted Use. The Client must not sell, license, transfer, disclose, or otherwise provide access to the Deliverables to any third party, unless Vokke has given its express written consent beforehand, or such use expressly forms part of the Permitted Use.

Subscribe to our Newsletter

We bring the years and global experience to custom software projects all over the world.

"*" indicates required fields