Vulnerability Scoring and Remediation
GSO Remediation timeline and scoring
Remediation Timelines
The table below outlines the timelines to remediate vulnerabilities once support teams are notified.
| Severity | CVSS Score | Contrast Score | SonarQube Scoring | Remediation Timeline | Prod Release Implications |
|---|---|---|---|---|---|
| Crtical | 9.0-10.0 | Critical | D and E | Immediately remediate on notification | Blocker |
| High | 7.0-8.9 | High | C | Less than 30 days from notification | Blocker |
| Med/Low | 0-6.9 | Med/Low | B | Less than 90 days from notification | GSO Approval Required |
| N/A | N/A | NOTE | A | N/A | N/A |
Uses CVSS base score from NVD (v3 primarily or v2 if v3 not avail). Does not include business context or environmental (i.e. external facing) consideration.
Helpful link: GSO Vuln Remediation timeline Contrast app scoring Contrast Library Scoring CVSS SonarQube Scoring