Security Vulnerability Remediation SLA

Worked Examples

Example 1: Enterprise Vulnerability Backlog

Problem: 100-person company discovers: 5 critical, 20 high, 50 medium, 100 low vulnerabilities. Security team: 3 people. Avg fix time: 6 hours. Can they meet standard SLAs?

Solution: SLA Requirements:\n- Critical (24h): 5 vulns × 6h = 30h needed, 3 × 24h = 72h available ✓\n- High (7d): 20 vulns × 6h = 120h needed, 3 × 168h = 504h available ✓\n- Medium (30d): 50 vulns × 6h = 300h needed, 3 × 720h = 2,160h available ✓\n- Low (90d): 100 vulns × 6h = 600h needed, 3 × 2,160h = 6,480h available ✓\n\nAnalysis:\nWith exclusive focus, can meet all SLAs. But:\n- Security team has other duties (monitoring, incidents)\n- New vulns arrive continuously\n- Realistically, 50% capacity for remediation\n\nActual capacity:\n- Critical: 36h → 6 vulns (breach 0)\n- High: 252h → 42 vulns (breach 0)\n- Medium: 1,080h → 180 vulns (no breach)\n\nRecommendation: Doable if vulnerabilities are addressed immediately and team focused.

Result: Theoretical: SLAs achievable | Realistic: Need prioritization and focus

Example 2: Understaffed Security Team

Problem: 2-person team, 8 critical, 40 high, 80 medium, 150 low vulns discovered. Standard SLAs. Impossible to meet all—what's the strategy?

Solution: Capacity Analysis:\n- Team capacity: 2 × 40h/week = 80h/week\n- Actual for remediation: ~40h/week (50% after meetings, monitoring)\n\nCritical Vulns (24h SLA):\n- 8 vulns × 6h = 48h\n- Available: 2 × 24h = 48h\n- Can barely meet if dropping everything\n\nHigh Vulns (7d SLA):\n- 40 × 6h = 240h\n- Available: 2 × 168h × 50% = 168h\n- Will breach ~12 vulns\n\nStrategy:\n1. Immediately patch all 8 criticals (full team, 2 days)\n2. Triage high vulns:\n - 15 internet-facing: patch in 7 days\n - 25 internal: extend to 14 days\n3. Implement compensating controls (WAF) for delay\n4. Request budget for 1 additional security engineer\n\nAlternative:\n- Hire contractors for medium/low backlog ($50K)\n- Team focuses on critical/high only

Result: Breach inevitable | Focus on critical/high | Hire temp help or extend SLAs

Example 3: Cloud Infrastructure Continuous Scanning

Problem: SaaS company: continuous scanning finds 2-5 new vulns daily. 5-person security team. How to maintain SLA compliance continuously?

Solution: Incoming Vulns:\n- Average: 3.5 vulns/day × 30 = 105/month\n- Mix: 0.3 critical, 3 high, 10 medium, 92 low\n\nMonthly Capacity:\n- 5 people × 40h × 50% for remediation = 400h/month\n- At 4h per vuln: 100 vulns/month capacity\n\nCapacity-Demand Balance:\n- Demand: 105 vulns\n- Capacity: 100 vulns\n- Deficit: 5 vulns/month (backlog grows)\n\nSustainable Model:\n1. Automate low-severity (dependency updates)\n - Reduces: 92 low → 20 low (automation handles 72)\n - New demand: 33 vulns/month\n2. Implement patch management pipeline\n - Reduces avg time: 4h → 3h\n - New capacity: 133 vulns/month\n\nResult: 133 capacity > 33 demand = sustainable\n\nKey: Automation is mandatory for continuous compliance

Result: Manual: unsustainable | With automation: sustainable | 133 > 33 capacity

Frequently Asked Questions

What is a vulnerability remediation SLA?

Remediation SLA specifies maximum time allowed to fix security vulnerabilities based on severity. Example: Critical 24 hours, High 7 days, Medium 30 days, Low 90 days. SLAs balance risk (patch quickly) with operational reality (testing takes time). Missing SLAs increases breach risk.

How are vulnerability severities determined?

Most organizations use CVSS (Common Vulnerability Scoring System): 9.0-10.0 = Critical, 7.0-8.9 = High, 4.0-6.9 = Medium, 0.1-3.9 = Low. CVSS considers exploitability, impact, and scope. Some add business context: internet-facing critical systems may escalate severity.

What is a realistic remediation SLA for critical vulnerabilities?

Industry standards: Critical 24-48 hours, High 7-14 days, Medium 30-60 days, Low 90+ days. But context matters—a critical vuln in a non-internet-facing internal system might accept 7-day SLA. Conversely, a high vuln in production payment processing might get 24-hour treatment.

How long does vulnerability remediation actually take?

Varies widely: simple config changes (30 min to 2 hours), dependency updates (2-8 hours including testing), code changes (1-3 days), architectural changes (weeks). Average across all types: 4-8 hours. Critical vulns often get emergency patches (hours), followed by proper fixes (days).

What if I can't meet remediation SLAs?

Options: (1) Increase security team capacity, (2) Implement compensating controls (WAF, network segmentation) to reduce risk temporarily, (3) Take systems offline until patched, (4) Adjust SLAs to realistic levels. Chronic SLA misses indicate understaffing or unrealistic targets.

What is the difference between vulnerability scanning and penetration testing?

Scanning is automated discovery of known vulnerabilities using tools (Nessus, Qualys). Pen testing is manual simulation of attacks to find exploitable weaknesses. Scanning finds many issues quickly; pen testing finds what's actually exploitable. Do scanning continuously, pen testing periodically.

Background & Theory

The Security Vulnerability Remediation SLA Planner applies the following established principles and formulas. Legal and compliance calculations form the quantitative backbone of risk management across every industry. Statute of limitations periods define the window within which legal action must be initiated; missing these deadlines extinguishes claims permanently regardless of their merit. Periods vary widely by jurisdiction and claim type: contract disputes typically allow 3-6 years, personal injury claims 2-3 years, and written contracts may allow up to 10 years in some states. Calculating expiry dates requires identifying the triggering event, applying the statutory period, and accounting for tolling provisions that pause the clock during minority, incapacity, or fraudulent concealment. Employment law generates substantial calculation requirements. The Fair Labor Standards Act mandates overtime pay at 1.5 times the regular rate for hours worked beyond 40 in a workweek. Regular rate calculation is not simply the hourly wage; it must incorporate non-discretionary bonuses, shift differentials, and commissions, divided by total hours worked. Workers' compensation premiums are computed as payroll divided by 100, multiplied by the applicable class code rate, adjusted by an experience modification factor reflecting the employer's historical claims. GDPR and similar data privacy regulations impose specific retention and deletion timelines. Personal data may not be kept longer than necessary for its original purpose, requiring organisations to maintain deletion schedules and document the legal basis for each data category. Regulatory filing deadlines in financial services, environmental compliance, and healthcare are typically expressed in business days, necessitating accurate weekday and holiday calendars. Legal cost-benefit analysis quantifies litigation risk by multiplying potential damages by probability of adverse judgment, comparing expected loss against settlement or compliance investment. Liability insurance premiums reflect actuarial assessments of this expected loss, modified by coverage limits, deductibles, and risk management practices. Compliance programmes that demonstrably reduce violation probability directly reduce premium costs and regulatory exposure.

History

The history behind the Security Vulnerability Remediation SLA Planner traces back through the following developments. The formalisation of legal obligations through written codes began with the Code of Hammurabi around 1754 BCE in ancient Babylon. Carved onto a basalt stele, it established 282 laws governing commerce, property, and personal conduct, notably applying proportional penalties based on social status. The principle that legal consequences follow determinable formulas rather than arbitrary judgment traces directly to this tradition. Roman law provided the systematic framework that shaped Western legal systems. The Twelve Tables (450 BCE) codified customary law for public access, and the Corpus Juris Civilis compiled by Emperor Justinian in 529-534 CE synthesised centuries of legal development into an authoritative reference that influenced European jurisprudence for a millennium. Magna Carta in 1215 established the revolutionary principle that even monarchs were subject to law, laying the groundwork for due process, proportional punishment, and the right to a fair hearing. English common law evolved through judicial decisions rather than codification, creating a precedent-based system that spread through British colonisation to become the legal foundation of the United States, Canada, Australia, and India. The Napoleonic Code of 1804 revived the Roman codification tradition, systematising French civil law and inspiring legal reforms across continental Europe, Latin America, and parts of Africa. Its clear structure influenced how modern compliance regulations are drafted. The New Deal era of the 1930s dramatically expanded the American regulatory state, creating agencies like the SEC, NLRB, and FDA with broad rulemaking authority. This expansion made compliance a distinct professional discipline. The Sarbanes-Oxley Act of 2002, passed in response to Enron and WorldCom scandals, institutionalised compliance functions within public companies by mandating internal controls, audit committees, and executive certification of financial statements. GDPR's implementation in 2018 similarly professionalised data protection compliance globally, creating an entirely new category of compliance calculation centred on data lifecycle management.

Security Vulnerability Remediation SLA Planner