Recommended starting deadlines
A practical first policy is critical in 3 days, high in 7 days, medium in 30 days, and low in 90 days. Teams can adjust by repository, team, or severity.
- Critical: 3 days
- High: 7 days
- Medium: 30 days
- Low: 90 days
Guide
A practical guide to defining vulnerability remediation SLAs for GitHub Dependabot and security alerts.
A practical first policy is critical in 3 days, high in 7 days, medium in 30 days, and low in 90 days. Teams can adjust by repository, team, or severity.
Business-day calculation can make sense for internal policies, but customer contracts and urgent exploitable vulnerabilities may require calendar-day handling.
Notify owners early, remind team leads near the deadline, and alert security or management after breach.