7.3.2. Remediation Tracking and Exception Handling
💡 First Principle: Finding vulnerabilities without tracking their remediation is security theater — you have identified risk but not reduced it. A mature vulnerability management program requires a closed-loop process: discover → prioritize → assign → remediate → verify → close. Without the verify and close steps, you cannot demonstrate that remediation actually occurred, and without tracking timelines, you cannot hold teams accountable to risk-based SLAs.
Remediation SLA framework:
Organizations define remediation timelines based on severity, adjusting for asset criticality and exposure:
| Severity | Typical SLA (Internet-Facing) | Typical SLA (Internal) | Escalation Trigger |
|---|---|---|---|
| Critical | 24–72 hours | 7 days | Auto-escalate to CISO at SLA breach |
| High | 7–14 days | 30 days | Manager notification at 50% SLA elapsed |
| Medium | 30–60 days | 90 days | Monthly reporting; exception if beyond 90 |
| Low | 90–180 days | Next maintenance cycle | Tracking only |
Exception handling and risk acceptance:
Not every vulnerability can be remediated immediately — some cannot be patched without breaking production, some affect legacy systems with no vendor support, and some require architectural changes that take months. The exception process provides a governed path for accepting residual risk:
- Risk acceptance request — System owner documents why remediation cannot occur within SLA, the compensating controls in place, and the residual risk.
- Risk review — Security team evaluates whether compensating controls adequately reduce risk and whether the proposed timeline is reasonable.
- Approval authority — Risk acceptance requires approval at a level commensurate with the risk. Critical risks typically require CISO or executive approval; medium risks may be approved by the asset owner's director.
- Time-bound revalidation — Every exception expires. Common practice: 90-day revalidation for critical, 180-day for high. At revalidation, either the vulnerability is remediated, the exception is renewed with fresh justification, or the risk acceptance is revoked and remediation becomes mandatory.
- Audit trail — Every exception decision is documented for audit evidence. Regulators and auditors expect to see a governed exception process, not ad-hoc decisions.
Vulnerability disclosure — responsible coordination:
When your organization discovers a vulnerability in a third-party product, or when a researcher discovers one in yours, a disclosure process governs the communication:
| Disclosure Model | How It Works | Risk Profile |
|---|---|---|
| Coordinated (responsible) | Discoverer notifies vendor privately; vendor patches; public disclosure after patch available | Lowest risk — patch available before exploit public |
| Full disclosure | Discoverer publishes immediately with no vendor notification | High risk — attackers get exploit details before patch exists |
| Bug bounty | Vendor pays researchers for reported vulnerabilities | Moderate — incentivizes research but requires triage capacity |
| CVE assignment | MITRE assigns unique identifier; enables tracking across industry | Essential for cross-vendor remediation tracking |
Common Vulnerabilities and Exposures (CVE): The CVE system provides a standardized identifier for publicly known vulnerabilities. CVE IDs (e.g., CVE-2024-3094 for the XZ Utils backdoor) enable unambiguous communication across vendors, scanners, and security teams. The National Vulnerability Database (NVD) enriches CVEs with CVSS scores, affected product lists, and reference links.
⚠️ Exam Trap: Risk acceptance is not risk ignorance. Accepting risk without documented justification, compensating controls, and executive approval is simply ignoring the vulnerability. The exam tests whether you understand the governance structure required for legitimate risk acceptance versus informal decisions to defer patching.
Reflection Question: A vulnerability scan reveals a critical RCE vulnerability in a production ERP system that processes payroll for 5,000 employees. The vendor has released a patch, but the system owner reports that applying the patch requires a 12-hour maintenance window and full regression testing — a process that cannot be scheduled for six weeks. Describe the exception process, the compensating controls you would require during the gap, and the approval authority needed for this risk acceptance.
