Practice vocabulary for vulnerability remediation SLAs, CVSS scoring, risk acceptance, patch vs. virtual patch, and compensating controls.
0 / 5 completed
1 / 5
What is a 'remediation SLA' for vulnerabilities, and what are typical timeframes by severity?
Remediation SLAs set enforceable deadlines for fixing vulnerabilities based on severity. Common industry benchmarks: critical (CVSS 9.0–10.0) — 24 hours; high (7.0–8.9) — 7 days; medium (4.0–6.9) — 30 days; low (0.1–3.9) — 90 days. Exact values vary by organisation and compliance framework (PCI DSS, NIST). SLA breaches are tracked in vulnerability management platforms and may trigger escalations.
2 / 5
What is CVSS and what does a CVSS score represent?
CVSS (Common Vulnerability Scoring System), maintained by FIRST, produces a score from 0 to 10 using a formula that weighs exploitability metrics (attack vector, complexity, privileges required, user interaction) and impact metrics (confidentiality, integrity, availability). Scores map to severity bands: None (0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), Critical (9.0–10.0). CVSS v3.1 and v4.0 are current versions.
3 / 5
What is the difference between a 'patch' and a 'virtual patch' for a vulnerability?
A software patch updates the vulnerable component — ideally the fastest permanent fix. A virtual patch (also called a shield or mitigation) adds a protective layer — a WAF rule blocking the exploit pattern, a network ACL, or a runtime security control — that prevents exploitation without changing the vulnerable software. Virtual patches are used when a software patch is unavailable (zero-day) or when patching requires extended change-control lead time.
4 / 5
What is a 'compensating control' in vulnerability management vocabulary?
A compensating control mitigates risk when the ideal fix is not immediately feasible. Examples: isolating a legacy system with an unpatched vulnerability behind a firewall with strict ACLs; deploying a WAF rule to block the known exploit pattern; requiring MFA for accounts that could be leveraged via the vulnerability. Compensating controls must be documented and approved as part of a risk acceptance or exception process.
5 / 5
What is a 'vulnerability backlog' and why does it become a problem?
A vulnerability backlog grows when the rate of new findings (from continuous scanning) exceeds the team's remediation capacity. An unmanaged backlog means the organisation's attack surface expands over time. Effective vulnerability management requires prioritisation (CVSS score, exploitability, asset criticality), SLA enforcement, regular triage, and sometimes formally accepting lower-priority risks to keep the backlog manageable.