Vulnerability Response SLAs
Severity SLAs
| Severity | SLA | Default Action |
|---|---|---|
| Critical | 24 hours | Block release and hotfix |
| High | 7 days | Prioritized sprint remediation |
| Medium | 30 days | Planned remediation |
| Low | 90 days | Backlog with owner |
Response Workflow
- Validate finding and affected assets.
- Classify severity and assign engineering owner.
- Apply containment if exploit risk is immediate.
- Patch, test, and verify in CI.
- Capture root cause and update guardrails/prompt templates.
Required Evidence
- Scan report reference
- PR or patch reference
- Verification test evidence
- Closure approval by security owner