---
name: vulnerability-management
description: Manage vulnerability assessment and remediation programs including scanning, prioritization, risk scoring, patch management, and compliance reporting. Use when running vulnerability scans, prioritizing remediation, managing patch cycles, or generating compliance reports. Triggers on phrases like "vulnerability management", "vulnerability scanning", "CVE", "CVSS", "patch management", "patch cycle", "vulnerability assessment", "risk scoring", "exploitability", "remediation priority", "scan schedule", "baseline scan", "compliance scan", "Nessus", "Qualys", "Tenable", "OpenVAS", "vulnerability report".
---

# Vulnerability Management

Manage vulnerability assessment and remediation programs including scanning, prioritization, risk scoring, patch management, and compliance reporting.

## Workflow

### 1. Vulnerability Scanning Program

```
VULNERABILITY SCANNING PROGRAM
═══════════════════════════════════════

Scan Types & Schedule:
═══════════════════════════════════════

Scan Type            Schedule      Scope            Tool            Auth
───────────────────────────────────────────────────────────────────────────────
External             Weekly        Internet-facing  Nessus/Qualys  Unauth
Internal             Bi-weekly     All internal IPs Nessus/Tenable Auth
Container            Per build     CI/ pipeline     Trivy/Grype    N/A
Compliance           Monthly       PCI/ HIPAA scope Nessus/Qualys  Auth
Penetration Test     Quarterly     Full stack       Pentester      Auth
Web App              Monthly        Web apps        Burp/AWS WAF   Auth
DB Scanner           Monthly        Databases       Nessus DB      Auth

SCAN SCOPE:
═══════════════════════════════════════

  External (Internet-Facing):
    → 45 public IPs
    → 12 load balancers
    → 3 web applications
    → 5 API endpoints

  Internal:
    → 2,500 endpoints (workstations, servers)
    → 150 virtual machines
    → 80 cloud instances
    → 45 containers (production)

  Authenticated Scans:
    → Windows: Domain admin account (read-only)
    → Linux: SSH key (sudo access)
    → Database: Service account (SELECT only)
    → Cloud: ReadOnly role (CloudTrail enabled)
```

### 2. Vulnerability Prioritization

```
VULNERABILITY PRIORITIZATION FRAMEWORK
═══════════════════════════════════════

Risk Scoring Formula:
═══════════════════════════════════════

  Risk = CVSS × Exploitability × Business Impact × Exposure

  CVSS (Common Vulnerability Scoring System):
    → Base: Technical severity (0.0 - 10.0)
    → Temporal: Fix availability, exploit code maturity
    → Environmental: Impact on specific environment

  Exploitability Factors:
    → Public exploit code available? (+2 levels)
    → Active exploitation in wild? (+3 levels)
    → Proof-of-concept exists? (+1 level)
    → Exploited in recent breaches? (+2 levels)

  Business Impact:
    → Critical system (payment, auth, customer data)
    → High system (internal tools, analytics)
    → Medium system (dev, test, staging)
    → Low system (legacy, decommissioning)

  Exposure:
    → Internet-facing (+2 levels)
    → DMZ / Perimeter (+1 level)
    → Internal network (base)
    → Isolated network (-1 level)

PRIORITY TIERS:
═══════════════════════════════════════

Tier    SLA          CVSS      Exploitation    System     Example
───────────────────────────────────────────────────────────────────────
P1      24 hours     ≥ 9.0     Active         Critical   Log4Shell, PrintNightmare
P2      7 days       ≥ 7.0     Code available  Critical   RCE on internet-facing
P3      14 days      ≥ 5.0     Any            Critical   SQL injection, XSS
P4      30 days      ≥ 5.0     Any            Medium     Info disclosure
P5      90 days      < 5.0     None           Any        Low-risk findings
```

### 3. Patch Management

```
PATCH MANAGEMENT CYCLE
═══════════════════════════════════════

Windows Patch Cycle:
═══════════════════════════════════════

  Week 1: Microsoft releases patches (Patch Tuesday)
  Week 2: Test patches on lab systems
  Week 3: Deploy to staging (10% of fleet)
  Week 4: Deploy to production (remaining 90%)

  Tools: WSUS / SCCM / Intune / Advanced Group Policy

  Deployment rings:
    → Ring 0: Lab/VMs (immediate)
    → Ring 1: IT staff machines (Day 1)
    → Ring 2: Pilot group (Day 7)
    → Ring 3: Non-critical production (Day 14)
    → Ring 4: Critical production (Day 21)

Linux Patch Cycle:
═══════════════════════════════════════

  Distribution        Tool               Schedule          Reboot
  ────────────────────────────────────────────────────────────────────────
  RHEL/CentOS         yum/dnf + Katello  Monthly (2nd Fri) Required for kernel
  Ubuntu              unattended-upgrades Weekly (auto)     Required for kernel
  Debian              apt + Ansible      Monthly           Required for kernel
  Amazon Linux        yum + SSM          Bi-weekly         Required for kernel
  Alpine              apk                Weekly            Required for kernel

  Security patches: Auto-apply (no reboot required where possible)
  Kernel patches: Scheduled maintenance window

CLOUD PATCH MANAGEMENT:
═══════════════════════════════════════

  → AWS SSM Patch Manager (Windows + Linux)
  → Azure Update Manager (Windows + Linux)
  → GCP OS Config (Linux)
  → Container images: Rebuild on base image update
  → Serverless: Auto-updated by provider
  → AMI: Rebuild with Packer, replace instances

EMERGENCY PATCHING:
═══════════════════════════════════════

  Trigger: Critical vulnerability (P1, active exploitation)
  → Skip staging testing
  → Deploy within 24 hours
  → Rollback plan ready
  → Communication to stakeholders
```

### 4. Vulnerability Reporting

```
VULNERABILITY REPORT
═══════════════════════════════════════

Executive Summary (Monthly):
═══════════════════════════════════════

  Total vulnerabilities: 1,247
  Open (overdue): 89
  Remediated this month: 456
  Average time to remediate: 18 days

  By Severity:
    → Critical (CVSS ≥ 9.0): 12 (SLA: 24 hours)
    → High (CVSS 7.0-8.9): 45 (SLA: 7 days)
    → Medium (CVSS 4.0-6.9): 234 (SLA: 14 days)
    → Low (CVSS < 4.0): 956 (SLA: 90 days)

  By Status:
    → Open: 297 (24%)
    → In Progress: 156 (13%)
    → Remediated: 794 (63%)
    → Accepted Risk: 22 (2%)

  Top 10 Most Prevalent CVEs:
  ════════════════════════════════════════

  Rank CVE          CVSS  Affected Systems  SLA      Status
  ────────────────────────────────────────────────────────────────────
  1    CVE-2024-001  9.8   45 servers       24h      In Progress
  2    CVE-2024-002  8.5   32 workstations  7 days   Open
  3    CVE-2024-003  7.8   28 VMs           7 days   Remediated
  4    CVE-2024-004  7.2   15 containers    14 days  Open
  5    CVE-2024-005  6.5   120 endpoints    30 days  In Progress

COMPLIANCE REPORT:
═══════════════════════════════════════

  Standard    Requirement                    Status     Gap
  ────────────────────────────────────────────────────────────────────
  PCI-DSS     Vuln scan quarterly            ✓ Met      —
  PCI-DSS     Remediate critical within 30d  ✓ Met      —
  PCI-DSS     Web app scan                   ✓ Met      —
  SOC 2       Patch management process       ✓ Met      —
  HIPAA       Vulnerability management       ✓ Met      —
  ISO 27001   A.12.6.1 Malware protection    ✓ Met      —
  NIST CSF    PR.IP-12 Vulnerability Mgmt    ✓ Met      —
```

### 5. Risk Acceptance & Exceptions

```
RISK ACCEPTANCE PROCESS
═══════════════════════════════════════

When to Accept Risk:
═══════════════════════════════════════

  → Patch unavailable
  → Patch causes incompatibility (tested)
  → Vulnerability not exploitable in environment
  → Remediation cost > risk (documented)
  → Legacy system (migration planned)

Approval Matrix:
═══════════════════════════════════════

  CVSS      Required Approver     Duration     Review
  ────────────────────────────────────────────────────────
  ≥ 9.0     CISO + CEO            30 days      Monthly
  7.0-8.9   CISO                  90 days      Quarterly
  4.0-6.9   Security Manager      180 days     Semi-annual
  < 4.0     Security Engineer     1 year       Annual

Risk Acceptance Form:
═══════════════════════════════════════

  → CVE ID and description
  → Affected systems (list)
  → CVSS score
  → Reason for acceptance
  → Compensating controls
  → Migration/remediation plan (timeline)
  → Approver signature
  → Review date
```

## Edge Cases

- **End-of-life systems**: No patches available (isolate or replace)
- **Custom software**: No vendor patches (internal fix)
- **Embedded/IoT**: Cannot patch (network isolation)
- **Zero-day**: No fix available (virtual patching, WAF)
- **False positives**: Validation and exclusion process

## Integration Points

- **Scanners**: Nessus, Qualys, Tenable, OpenVAS, Trivy
- **SIEM**: Splunk, Sentinel, QRadar
- **CMDB**: ServiceNow, Jira Service Management
- **Ticketing**: Jira, ServiceNow, Remedy
- **Patch tools**: WSUS, SCCM, SSM, Ansible
- **Threat intel**: MISP, VirusTotal, AlienVault OTX

## Output

### Vulnerability Management Status

```
VULNERABILITY MANAGEMENT — Q4 2024
═══════════════════════════════════════

Open vulnerabilities: 297 (↓ 45% from Q3)
Overdue (P1/P2): 8 (↓ from 23)
MTTR: 18 days (target: 14 days)
Scan coverage: 100% of in-scope assets
Compliance: All standards met
Risk acceptances: 22 (3 pending renewal)

Top action items:
  → Remediate 12 critical vulns (24h SLA)
  → Patch 45 high-risk endpoints
  → Renew 3 expiring risk acceptances
```