Configure SLA Rules

Configure SLA rules

Define severity-based vulnerability remediation deadlines and review due-date impact.

Start with severity rules

A practical default is critical in 3 days, high in 7 days, medium in 30 days, and low in 90 days. Tune the policy for your contracts, risk appetite, customer commitments, and regulatory obligations.

Use repository or team-specific rules carefully

Team-specific or repository-specific rules are useful when one product has stricter obligations, but too many exceptions make evidence harder to explain. Keep policy names clear and review inactive policies.

Recalculate after policy changes

Policy changes should update due dates intentionally and leave an audit trail. Review overdue counts after saving policy changes so teams understand the operational impact.