Design: Track and Display Vulnerability Remediation Time
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
A fundamental piece of any vulnerability management toolset is providing insight into the time it takes to resolve a given vulnerability. An organization's Mean Time to Remediate/Respond (MTTR) is the average of how long from identification to successful resolution it takes to deal with a given risk. In the context of vulnerability management, this is often the average time it take to remediate vulnerabilities of a given severity.
Tracking MTTR over time is an important benchmark to understand if performance is improving when it comes to handling vulnerabilities. Tracking the time it takes for an individual vulnerability to move from creation to a status of Closed Remediated is a key first step in providing higher level MTTR metrics.
Intended users
- Delaney (Development Team Lead) - Delaney will want to know if the engineering team is meeting any SLAs around vulnerability remediation as well as to understand general time impacts of remediating vulnerabilities.
- Alex (Security Operations Engineer) - Alex will want to keep an eye of remediation times for high severity or high sensitivity vulnerabilities to ensure they are resolves quickly, thus reducing organizational risk.
User experience goal
Vulnerability lists on the Security Dashboards are updated with additional information to let users quickly gain insights such as:
- which vulnerabilities are newest?
- which vulnerabilities have been open the longest?
- what amount of time has a given vulnerability been open or did it take to resolve (don't make me do date math)?
The new information on the vulnerability lists will be filterable and sortable like other existing fields.
Viewing an individual vulnerability's page will indicate the time elapsed since of creation (detection) while the vulnerability is still open.
If the vulnerability is Dismissed, the user will see how long it took total from creation to dismissal.
If the vulnerability is Resolved, the user will see how long it took from creation to remediation.
If a vulnerability has its status updated multiple times, each status change will update the total time the user sees, counted from creation timestamp. For example, if a Dismissed vulnerability was opened for 3 days, set back to Open, worked on for 2 days and then Resolved, the user would ultimately see a remediation time of 5 days.