27 lines
756 B
Markdown
27 lines
756 B
Markdown
# Vulnerability Management Procedure
|
||
|
||
**Version:** 1.1 | **Owner:** AppSec | **Classification:** Internal
|
||
|
||
## SLAs
|
||
|
||
| Severity | Remediation SLA | Exceptions |
|
||
|----------|----------------|-----------|
|
||
| Critical (CVSS 9–10) | 24 hours | CISO approval required |
|
||
| High (CVSS 7–8.9) | 7 days | Manager approval |
|
||
| Medium (CVSS 4–6.9) | 30 days | Standard process |
|
||
| Low (CVSS 0–3.9) | 90 days | Best effort |
|
||
|
||
## Scanning schedule
|
||
|
||
- External attack surface: daily (automated, Qualys)
|
||
- Internal network: weekly
|
||
- Container images: on every CI build
|
||
- Dependencies: on every PR (Dependabot)
|
||
|
||
## Exception process
|
||
|
||
Exceptions require:
|
||
1. Business justification
|
||
2. Compensating controls documented
|
||
3. Sign-off from CISO
|
||
4. Re-review in 30 days
|