Vulnerability Management Template

Allocate a fixed percentage of engineering capacity to security work (10-15% is common). Critical and High vulnerabilities take priority over feature work. Medium and Low vulnerabilities are addressed within the security capacity allocation. If the security backlog grows consistently, increase the allocation.

Yes. A vulnerability disclosure policy (VDP) tells security researchers how to report issues responsibly. It should include: scope (what systems are in scope), safe harbor (promise not to take legal action against good-faith reporters), reporting channel (email or bug bounty platform), and expected response time. Even without a bug bounty program, a VDP reduces the chance of public disclosure before you can fix the issue.

Vulnerability management is the full lifecycle: discover, triage, remediate, verify, and report. Patch management is one specific remediation method: applying vendor-issued patches (OS updates, dependency version bumps). Patch management is a subset of vulnerability management. Some vulnerabilities require code changes, architecture adjustments, or configuration fixes rather than patches.

EOL software receives no patches. Options: migrate to a supported version (preferred), implement compensating controls (WAF rules, network segmentation, additional monitoring), or accept the risk with documentation. EOL software should be on a migration roadmap. If it handles sensitive data, migration is urgent.

There is no universal benchmark. What matters is the trend and SLA compliance. A mature program might have 20-50 open findings at any time, with zero Critical/High findings older than their SLA. An immature program might have 500+ open findings with no triage process. Focus on reducing your open Critical/High count to near-zero and maintaining > 90% SLA compliance.