SLA Tracking
Understand remediation SLA deadlines by vulnerability severity and track compliance.
CVEium CIS tracks remediation Service Level Agreement (SLA) deadlines for each vulnerability based on its severity. This helps you meet regulatory requirements for timely vulnerability handling.
Default SLA deadlines
| Severity | Deadline |
|---|---|
| Critical | 7 days |
| High | 30 days |
| Medium | 90 days |
| Low | 180 days |
Deadlines are measured from the vulnerability's discovered date (when it was first matched to your SBOM).
These defaults are based on common industry practices and the EU Cyber Resilience Act Article 13 principle of handling vulnerabilities "without delay."
SLA status indicators
Each vulnerability in the triage view shows an SLA status:
- OK: The deadline is not yet approaching. No indicator is shown.
- Approaching: The deadline is within 20% of the allowed time. An orange warning indicator appears.
- Overdue: The deadline has passed. A red overdue indicator appears.
SLA in the triage statistics
The triage page sidebar shows the total number of overdue vulnerabilities. This count only includes vulnerabilities that have not been resolved (those without a "not affected" or "fixed" disposition).
When SLA does not apply
SLA tracking is automatically disabled for vulnerabilities with a resolved disposition:
- Not Affected: The vulnerability does not impact your product
- Fixed: The vulnerability has been remediated
Once you set one of these dispositions, the SLA indicator is removed.
SLA in compliance reports
The compliance attestation report includes a section documenting your organization's SLA policy, showing the deadline for each severity level. This provides evidence to auditors and regulatory authorities that you have defined and are tracking remediation timelines.