Configure SLA Rules
Configure SLA rules
Define severity-based vulnerability remediation deadlines and review due-date impact.
Start with severity rules
A practical default is critical in 3 days, high in 7 days, medium in 30 days, and low in 90 days. Tune the policy for your contracts, risk appetite, customer commitments, and regulatory obligations.
Use repository or team-specific rules carefully
Team-specific or repository-specific rules are useful when one product has stricter obligations, but too many exceptions make evidence harder to explain. Keep policy names clear and review inactive policies.
Recalculate after policy changes
Policy changes should update due dates intentionally and leave an audit trail. Review overdue counts after saving policy changes so teams understand the operational impact.