P-SSCRM Documentation

D.1.2 Risk-based vulnerability remediation

Control Details

Objective

Remediate vulnerabilities based upon a risk-based prioritization

Definition

Make risk-based decisions on whether to remediate a vulnerability or if the risk will be addressed another way (e.g. acceptance, temporary remediation, deferred remediation). Prioritize actions that will be taken. Deliver remediations via an automated and trusted delivery mechanism.

Assessment Questions

  1. Tell me about your process for making decisions on which vulnerabilities should be remediated?
  2. What is your process for responding to reported incidents quickly?
  3. Do you have a policy that high-priority vulnerabilities can prevent the shipment of the product?

Reference sources

  1. EO 4e(iv) 4e(v) 4e(viii)
  2. SSDF RV.2.2
  3. SSDF-AI RV.2.2
  4. 800-161 SA-5, SA-11
  5. OSSF-Scorecard vulnerabilities