nexus/security-policies
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
security-policies/procedures/vulnerability-management.md

756 B
Raw Permalink Blame History

Vulnerability Management Procedure

Version: 1.1 | Owner: AppSec | Classification: Internal

SLAs

Severity Remediation SLA Exceptions
Critical (CVSS 910) 24 hours CISO approval required
High (CVSS 78.9) 7 days Manager approval
Medium (CVSS 46.9) 30 days Standard process
Low (CVSS 03.9) 90 days Best effort

Scanning schedule

  • External attack surface: daily (automated, Qualys)
  • Internal network: weekly
  • Container images: on every CI build
  • Dependencies: on every PR (Dependabot)

Exception process

Exceptions require:

  1. Business justification
  2. Compensating controls documented
  3. Sign-off from CISO
  4. Re-review in 30 days