From a9f8e7a1bd2ff931b4682c8869023b07cc3a390a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zoe=20B=C3=A4cker?= Date: Tue, 10 Feb 2026 10:30:00 +0000 Subject: [PATCH] Add vulnerability management SLAs and scanning schedule --- procedures/vulnerability-management.md | 27 ++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 procedures/vulnerability-management.md diff --git a/procedures/vulnerability-management.md b/procedures/vulnerability-management.md new file mode 100644 index 0000000..316c522 --- /dev/null +++ b/procedures/vulnerability-management.md @@ -0,0 +1,27 @@ +# Vulnerability Management Procedure + +**Version:** 1.1 | **Owner:** AppSec | **Classification:** Internal + +## SLAs + +| Severity | Remediation SLA | Exceptions | +|----------|----------------|-----------| +| Critical (CVSS 9–10) | 24 hours | CISO approval required | +| High (CVSS 7–8.9) | 7 days | Manager approval | +| Medium (CVSS 4–6.9) | 30 days | Standard process | +| Low (CVSS 0–3.9) | 90 days | Best effort | + +## Scanning schedule + +- External attack surface: daily (automated, Qualys) +- Internal network: weekly +- Container images: on every CI build +- Dependencies: on every PR (Dependabot) + +## Exception process + +Exceptions require: +1. Business justification +2. Compensating controls documented +3. Sign-off from CISO +4. Re-review in 30 days