Common use of Vulnerability and Risk Assessments Clause in Contracts

Vulnerability and Risk Assessments. At least annually, Contractor shall perform vulnerability tests and assessments of all systems that contain City Data. For any of Contractor’s applications that process City Data, such testing must also include penetration tests using intercept proxies to identify security vulnerabilities that cannot be discovered using automated tools, and code review or other manual verifications to occur at least annually. Contractor recognizes and agrees that work performed under this agreement may be subject to City’s vulnerability disclosure program. Contractor shall work with City in good faith to mitigate any vulnerabilities discovered as part of any City vulnerability disclosure program. Contractor shall perform such mitigation within the timeline required pursuant to the vulnerability disclosure program and at no additional cost to City. Contractor shall further hold harmless any security researcher identified by City that alerts City to vulnerabilities in accordance with the process and requirements of City’s vulnerability disclosure program.

Vulnerability and Risk Assessments. At least annually, Contractor shall perform vulnerability tests and assessments of all systems that contain City Data. For any of Contractor’s applications that process City Data, such testing must also include penetration tests using intercept proxies to identify security vulnerabilities that cannot be discovered using automated tools, and code review or other manual verifications to occur at least annually. Contractor recognizes and agrees that work performed under this agreement Agreement may be subject to City’s vulnerability disclosure program. Contractor shall work with City in good faith to mitigate any vulnerabilities discovered as part of any City vulnerability disclosure program. Contractor shall perform such mitigation within the timeline required pursuant to the vulnerability disclosure program and at no additional cost to City. Contractor shall further hold harmless any security researcher identified by City that alerts City to vulnerabilities in accordance with the process and requirements of City’s vulnerability disclosure program.