Vulnerability Management Policy

Woodward Associates Ltd

Vulnerability Management Policy

Version: 0.11, 18/05/2026

Woodward Associates aim to be a best-in-class provider of high-quality health software solutions, delivering excellence across the customer experience whilst continuously improving our development processes.  Ensuring the security and integrity of our products and customer information is central to achieving this ambition.

This Vulnerability Management Policy outlines our approach to addressing security vulnerabilities.  We recommend you read this policy in full before reporting a vulnerability and ensure you act in compliance with it.

In addition, Woodward Associates actively monitors the National Vulnerability Database (NVD) to identify and address potential flaws - https://nvd.nist.gov/

Please note, that we do not offer monetary rewards for vulnerability disclosures, however we value those who take the time and effort to report security vulnerabilities responsibly.

Reporting Vulnerabilities

If you believe you have identified a security vulnerability, please report it via one of the following:

Security email:               security@woodwardassoc.co.uk

Support email:               support@woodwardassoc.co.uk

Support desk phone:   +44 (0)1753 928131

What to Include in your Report

  • A brief description of the type of vulnerability (e.g. “XSS vulnerability”)
  • The Site/Application/IP address/Web Page where the vulnerability can be observed (ideally with the version number if available)
  • Steps to reproduce (these should be clear, benign, and non-destructive to ensure that the report can be assessed quickly and accurately)  

Our Process

Assessment

Upon receipt of a security vulnerability, we will carry out an initial assessment of the report.

This assessment starts with us logging the report and assigning it a unique identification number that will be used throughout the entire process.

We then classify the vulnerability based on the severity of the identified vulnerability, and where necessary contacting those that made the report for additional information until we can reproduce the issue.

The Common Vulnerability Scoring System (CVSS v4.0 - https://www.first.org/cvss/) is used to classify reproduced vulnerabilities based on their severity as below:

CVSS Classification CVSS Score Acknowledgement
Low 0.1 to 3.9 3 Working Days
Medium 4.0 to 6.9 2 Working Days
High 7.0 to 8.9 1 Working Day
Critical 9.0 to 10 1 Working Day

Acknowledgement

We will respond to the initial report based upon the perceived severity as detailed in the table above.  We will include the initial assessment and severity classification as part of the acknowledgement.

End User Notification

All affected users and relevant technical partners will be informed within 5 working days of a vulnerability being confirmed.

Remediation

Within 2 working weeks of initial confirmation, we will schedule appropriate remediation based upon the impact and severity of the vulnerability, as well as the ease or complexity of the exploit required to produce it.

The actual resolution of the vulnerability may vary depending on the nature and severity of the issue.

Regular Updates

Affected users and partners will receive regular progress updates detailing the development and implementation of solutions.  These updates will be made at key points within the process; when the remediation is identified, when it is scheduled for development, when development is underway, in testing, and finally released.

Resolution

As part of the implementation of a vulnerability remediation, we will provide full documentation to all our affected users and partners.

We will then notify those who raised the vulnerability that it has been resolved and how it has been remediated.

In addition, we may request the permission of those who raised the vulnerability to publish their relevant investigations and materials.

Guidance for Responsible Reporting

You MUST NOT:

  • Break any applicable law or regulation
  • Access confidential, unnecessary, or significant amounts of data
  • Modify data in the systems or services being reported upon
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities
  • Attempt or report any form of denial of service
  • Disrupt the services or systems being reported upon
  • Submit reports detailing non-exploitable vulnerabilities
  • Communicate any vulnerabilities or associated details by means other than documented in this policy
  • Implicate Woodward Associates staff or infrastructure in a vulnerability attack
  • Demand financial compensation during any part of process documented in this policy

You MUST:

  • Always comply with data protection rules and must not violate the privacy of Woodward Associates users, staff, contractors, services, and systems
  • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first

Legal Note

This policy is intended to be compatible with common vulnerability disclosure good practice.  It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Organisation or partner organisations to be in breach of any legal obligations.

Woodward Associates logo
As the UK's leading clinical coding solutions provider, Woodward Associates delivers clinical encoding, clinical audit and auto-coding solutions to more than 100 Trusts and private hospitals across the UK.

Our integrated solutions deliver unprecedented clinical data accuracy and ensure optimal revenue reimbursement to hospitals for care provided.
SITEMAP
HomeSolutionsCompanyNewsSupportPrivacy PolicyVulnerability PolicyContact Us
Woodward Associates LTd
Rafts Court
Brocas Street
Eton
SL4 6RF
United Kingdom
© 2026 Woodward Associates Ltd. All rights reserved. Registered in England. Company Number: 03297090
LinkedIn logo