Guide

GitHub Dependabot SLA Guide

A practical guide to defining vulnerability remediation SLAs for GitHub Dependabot and security alerts.

Recommended starting deadlines

A practical first policy is critical in 3 days, high in 7 days, medium in 30 days, and low in 90 days. Teams can adjust by repository, team, or severity.

  • Critical: 3 days
  • High: 7 days
  • Medium: 30 days
  • Low: 90 days

Use business-day rules carefully

Business-day calculation can make sense for internal policies, but customer contracts and urgent exploitable vulnerabilities may require calendar-day handling.

Escalate before breach

Notify owners early, remind team leads near the deadline, and alert security or management after breach.