security-policies/procedures/vulnerability-management.md

27 lines
756 B
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Vulnerability Management Procedure
**Version:** 1.1 | **Owner:** AppSec | **Classification:** Internal
## SLAs
| Severity | Remediation SLA | Exceptions |
|----------|----------------|-----------|
| Critical (CVSS 910) | 24 hours | CISO approval required |
| High (CVSS 78.9) | 7 days | Manager approval |
| Medium (CVSS 46.9) | 30 days | Standard process |
| Low (CVSS 03.9) | 90 days | Best effort |
## Scanning schedule
- External attack surface: daily (automated, Qualys)
- Internal network: weekly
- Container images: on every CI build
- Dependencies: on every PR (Dependabot)
## Exception process
Exceptions require:
1. Business justification
2. Compensating controls documented
3. Sign-off from CISO
4. Re-review in 30 days