Vulnerability Management


The Vulnerability Management Lifecycle

Vulnerability management is a continuous process: discover, classify, prioritize, remediate, and verify. It is not a quarterly checkbox exercise.

Scanning Infrastructure

Deploy scanners across your environment:




# scan-schedule.yaml


scanners:


- type: network


tool: nessus


target: 10.0.0.0/8


schedule: daily


port_range: 1-65535




- type: webapp


tool: burp-suite


target: "https://*.example.com"


schedule: weekly


auth_session: required




- type: container


tool: trivy


target: "registry.example.com/*"


schedule: on-push





CVSS and EPSS Prioritization

CVSS (Common Vulnerability Scoring System) measures severity. EPSS (Exploit Prediction Scoring System) measures likelihood of exploitation.




import requests




class VulnerabilityPrioritizer:


def __init__(self):


self.epss_api = "https://api.first.org/epss/v1"




def prioritize(self, vulnerabilities):


scored = []


for vuln in vulnerabilities:


cvss = vuln.get("cvss_score", 0)




# Get EPSS score


epss = self.get_epss(vuln["cve_id"])




# Combined priority score


priority = (cvss * 0.4) + (epss * 0.6)




scored.append({


"cve": vuln["cve_id"],


"cvss": cvss,


"epss": epss,


"priority": priority,


"has_exploit": vuln.get("exploit_available", False)


})




return sorted(scored, key=lambda x: x["priority"], reverse=True)




def get_epss(self, cve_id):


resp = requests.get(f"{self.epss_api}/epss?cve={cve_id}")


data = resp.json()


return float(data["data"][0]["epss"]) if data.get("data") else 0.0





Remediation SLAs

Define SLAs based on risk:

| Severity | Remediation SLA | Verification | |----------|----------------|--------------| | Critical | 24 hours | Re-scan required | | High | 7 days | Patch confirmation | | Medium | 30 days | Ticket closure | | Low | 90 days | Exception review |

Automated Remediation Workflows




from datetime import datetime, timedelta


import smtplib




def process_vulnerability(vuln):


sla_map = {


"critical": timedelta(hours=24),


"high": timedelta(days=7),


"medium": timedelta(days=30),


"low": timedelta(days=90)


}




severity = get_severity(vuln["cvss_score"])


deadline = datetime.utcnow() + sla_map[severity]




# Assign to team


ticket = create_ticket(


title=f"Remediate {vuln['cve_id']}",


assignee=get_owner(vuln["asset"]),


deadline=deadline,


severity=severity


)




# Escalate if approaching deadline


if datetime.utcnow() > deadline - timedelta(hours=4):


if severity in ["critical", "high"]:


escalate_to_manager(ticket)





Reporting and Metrics

Track key performance indicators:




-- Mean time to remediate


SELECT severity,


AVG(EXTRACT(EPOCH FROM (resolved_at - detected_at)) / 3600) as avg_hours


FROM vulnerabilities


WHERE detected_at > NOW() - INTERVAL '90 days'


GROUP BY severity


ORDER BY severity;




-- Vulnerability backlog


SELECT COUNT(*) as open_count,


severity,


CURRENT_DATE - MAX(detected_at::date) as oldest_days


FROM vulnerabilities


WHERE status = 'open'


GROUP BY severity;





Conclusion

Modern vulnerability management requires continuous scanning, risk-based prioritization using CVSS and EPSS, and enforceable SLAs. Automate where possible but maintain human oversight for critical findings. Measure your mean time to remediate and drive it down over time.