What is the vulnerability remediation timeline you have adopted for CVSS >= 7.0 vulnerabilities which are only exposed to your Intranet users (not Internet)?

Security & GRC Threat & Vulnerability Management

Between 6-12 months13%

Between 3-6 months30%

Between 2-3 months19%

Between 1-2 months15%

Between 2 weeks to 1 month12%

Between 1-2 weeks4%

Between 0-1 week5%

952 PARTICIPANTS

5.2k views3 Upvotes3 Comments

Sort by:

CIO in Finance (non-banking)5 years ago

Cvss is inadequate. I suggest focus on exploitable vulnerabilities and having capacity to remediate new vulnerabilities that show up in the wild. Monitor aging of exploitables and keep those under 60 days.

CTO in Software6 years ago

CVSS is a great start, but it lacks context. Here's a few questions to start with evaluating the remediation timeline:

1. Who has access to this vulnerable System? 3rd Party/Contractors? Everyone in The Company? A few Employees?

2. Is accessing the System requires going through VPN or MFA? Is there an audit trail?

3. Are there any Security Controllers deployed before one gets an access this System?

4. Are there any Security Controllers deployed on the System, in case it gets comprised?

5. Is this System contains sensitive data? Can Data be leaked from it?

Validating those points (and more), will help establish a more realistic, breach-oriented approach to the problem at hand.

Senior Security and Compliance Auditor in Software6 years ago

7.0 hits my High rating (Medium tops off at 6.9) so it would need to be fully resolved within 30 days (Medium 60 days). I use the CVSS score as a starting point and then score to my organization so it may lower/raise the score based on a number of risk factors, including Intranet only.

Content you might like

Does your organization have a strategy to address disinformation risks?

Yes33%

Not yet – we’re working on it42%

No25%

Unsure

View Results

Do you accept payments in crypto currency?

Yes, we do today.10%

No, but we plan to in the next 6 months.34%

No, but we plan to further in the future.10%

No, and we have no plans to.44%

View Results

How are companies doing Unified Vulnerability Management? The idea is bringing all inputs (AppSec, DevSecOps, VM scanning, asset discovery etc) into one platform. Instead of creating a homegrown solution, are there vendors that do this well?

What is the vulnerability remediation timeline you have adopted for CVSS >= 7.0 vulnerabilities which are only exposed to your Intranet users (not Internet)?

Sort by:

Content you might like

Does your organization have a strategy to address disinformation risks?

Do you accept payments in crypto currency?

How are companies doing Unified Vulnerability Management? The idea is bringing all inputs (AppSec, DevSecOps, VM scanning, asset discovery etc) into one platform. Instead of creating a homegrown solution, are there vendors that do this well?

How can the risk management function be strengthened to counterbalance overly aggressive executive decisions?

Is red teaming a better way to demonstrate security needs to the board than traditional compliance audits?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go