← Back to KB index
Vuln Mgmt

Vulnerability SLA (Critical 7d / High 30d / Medium 90d / Low 365d)

Patch SLA windows, exception process, and KEV automatic uplift.

SLA windows

SeverityPatch deadlineException max
Critical7 days14 days (with approval)
High30 days60 days
Medium90 days180 days
Low365 daysindefinite

KEV uplift

If a CVE is in CISA's KEV catalog, severity auto-elevates to Critical regardless of CVSS score.

How exceptions work

  1. SOC engineer or asset owner opens an exception via Mini App /approvals/create
  2. Approval routes to CISO + Risk persona (dual-channel TG inline)
  3. If approved, exception expires at original_deadline + grant_days

4. Auto-reminder at T-7 days

5. Z.395 audit chain appends the exception decision

How patches are tracked

/api/v1/v27/platform/overview reports patch SLA breach count.

/api/v1/v25/support/kb?category=vuln-mgmt returns related articles.