# Vulnerability Management Procedure **Version:** 1.1 | **Owner:** AppSec | **Classification:** Internal ## SLAs | Severity | Remediation SLA | Exceptions | |----------|----------------|-----------| | Critical (CVSS 9–10) | 24 hours | CISO approval required | | High (CVSS 7–8.9) | 7 days | Manager approval | | Medium (CVSS 4–6.9) | 30 days | Standard process | | Low (CVSS 0–3.9) | 90 days | Best effort | ## Scanning schedule - External attack surface: daily (automated, Qualys) - Internal network: weekly - Container images: on every CI build - Dependencies: on every PR (Dependabot) ## Exception process Exceptions require: 1. Business justification 2. Compensating controls documented 3. Sign-off from CISO 4. Re-review in 30 days