Vulnerability Management Process
Detection Sources
Section titled “Detection Sources”| System | Role |
|---|---|
| Dependabot | Dependency vulnerability detection across all Meridian7-io repositories |
| CrowdStrike | Endpoint vulnerability findings and threat detections |
| GitHub Secret Scanning | Exposed secrets in repository history |
| Claude Security Review | AI-powered security review on PRs via security-review.yml workflow |
Each vulnerability is tracked as a GitHub Issue via the Vulnerability Remediation template.
Remediation SLAs
Section titled “Remediation SLAs”| Severity | Deadline | Enforcement |
|---|---|---|
| Critical | 72 hours | Weekly security review |
| High | 7 days | Weekly security review |
| Medium | 30 days | Weekly security review |
| Low | Next sprint | Monthly review |
Workflow
Section titled “Workflow”- Detection — Scanner surfaces the vulnerability (Dependabot alert, CrowdStrike finding, Claude Security Review finding, secret scanning alert)
- Triage — Reviewer creates a GitHub Issue, assigns severity and SLA deadline
- Remediation — Engineer applies fix via pull request
- Verification — Detection system confirms resolution; verify runner confirms no regressions:
- Close — GitHub Issue closed with evidence of resolution
Risk Acceptance
Section titled “Risk Acceptance”If a vulnerability cannot be remediated, it is documented in automation/config/accepted-risks.yaml with justification, compensating controls, and a 6-month review date.
Evidence
Section titled “Evidence”| Artifact | Location |
|---|---|
| Dependabot alerts | evidence/logs/github/YYYY/MM/github-cc6.1-*-dependabot-alerts.json |
| CrowdStrike alerts | evidence/logs/crowdstrike/YYYY/MM/crowdstrike-cc7.2-*-alerts.json |
| Branch protection | evidence/logs/github/YYYY/MM/github-cc8.1-*-branch-protection.json |
Related Documents
Section titled “Related Documents”Meridian Seven — Confidential