Add vulnerability management SLAs and scanning schedule

This commit is contained in:
Zoe Bäcker 2026-02-10 10:30:00 +00:00
parent 4b3192bc0f
commit a9f8e7a1bd

View file

@ -0,0 +1,27 @@
# Vulnerability Management Procedure
**Version:** 1.1 | **Owner:** AppSec | **Classification:** Internal
## SLAs
| Severity | Remediation SLA | Exceptions |
|----------|----------------|-----------|
| Critical (CVSS 910) | 24 hours | CISO approval required |
| High (CVSS 78.9) | 7 days | Manager approval |
| Medium (CVSS 46.9) | 30 days | Standard process |
| Low (CVSS 03.9) | 90 days | Best effort |
## Scanning schedule
- External attack surface: daily (automated, Qualys)
- Internal network: weekly
- Container images: on every CI build
- Dependencies: on every PR (Dependabot)
## Exception process
Exceptions require:
1. Business justification
2. Compensating controls documented
3. Sign-off from CISO
4. Re-review in 30 days