For each CVE on the Vulnerabilities view, you can see the status and deadline. These remediation deadlines and remediation statuses such as “due soon”, “due later” and “overdue” are calculated based on the industry best practices and service-level agreements (SLAs) that prescribe different timeframes for mitigating CVEs depending on their CVSS score.
- critical vulnerabilities (9-10) must be addressed within a week,
- high impact vulnerabilities (7-9) must be mitigated within 15 days,
- medium vulnerabilities (4-7) must be treated in 30 days,
- low impact vulnerabilities (1-4) must be mitigated within 60 days.
You can adjust SLAs based on your corporate patching policy. For example, to ensure critical issues get addressed as soon as possible, you can make them prominent by keeping their deadlines tight while loosening those for low- and medium-risk CVEs.
To modify SLAs, navigate to the Vulnerability Remediation Compliance dashboard or Configuration / Advanced.
- On the Dashboard page, select a gear icon next to Vulnerability Remediation Compliance and set remediation timeframes for each severity.
- On the Advanced page, select the SLA you want to update, for example “Vulnerability Remediation SLA: Critical”, and provide a new value. By default, SLAs are enterprise-wide. Customize remediation timeframes depending on the scope, meaning each organization can have different deadlines for the same CVE. Select Add Scope to set SLA per organization.