Vulnerability Sources
Vulnerabilities enter LowerPlane through connected security tool integrations:| Integration | Vulnerability Types |
|---|---|
| Snyk | Open source dependency vulnerabilities, container image issues, code security findings |
| Wiz | Cloud misconfiguration, workload vulnerabilities, network exposure |
| AWS Inspector | EC2 instance and container image vulnerabilities |
| CrowdStrike Spotlight | Endpoint vulnerability findings |
| Qualys Cloud Platform | Network and web application vulnerabilities |
| Tenable | Infrastructure vulnerability assessment findings |
| GitHub Dependabot | Dependency vulnerability alerts |
| GitLab Vulnerability Scanner | SAST, DAST, and dependency findings |
| Semgrep | Static analysis security issues |
| SonarQube | Code quality and security vulnerabilities |
Severity Levels
Every vulnerability is assigned a severity level based on the source tool’s assessment:| Severity | SLA Guidance | Description |
|---|---|---|
| Critical | Remediate within 7 days | Actively exploitable, high impact, or public exploit available |
| High | Remediate within 30 days | Significant risk, likely exploitable |
| Medium | Remediate within 90 days | Moderate risk, requires specific conditions to exploit |
| Low | Remediate as resources allow | Low risk, limited exploitability |
| Informational | No SLA | Awareness only, best practice recommendations |
The SLA guidance above represents common industry benchmarks. Configure your organization’s specific SLA targets in Settings to match your risk appetite and compliance requirements.
Viewing Vulnerabilities
Navigate to Assets > Vulnerabilities to see all tracked vulnerabilities. The list supports:- Filtering by severity, status (open, in progress, resolved, accepted), source integration, and affected asset
- Searching by CVE ID, vulnerability title, or affected component
- Sorting by severity, discovery date, age, or affected asset
- Grouping by asset, severity, or source
| Field | Description |
|---|---|
| Title | Name or CVE identifier of the vulnerability |
| Severity | Critical, high, medium, low, or informational |
| Affected asset | The asset where the vulnerability was found |
| Source | Integration that reported the finding |
| Status | Open, in progress, resolved, or accepted risk |
| Discovered | When the vulnerability was first detected |
| Age | Days since discovery (highlights SLA breaches) |
Remediation Workflows
Triage
Review new vulnerabilities and confirm their severity. Assign an owner responsible for remediation.
Assess
Determine the appropriate remediation action: patch, upgrade, configuration change, compensating control, or risk acceptance.
Remediate
Apply the fix in the affected system. Update the vulnerability status to In Progress while work is underway.
Verify
On the next integration sync, LowerPlane automatically checks whether the vulnerability is still present. If resolved, the status updates to Resolved automatically.
Risk Acceptance
Not every vulnerability requires immediate remediation. When the risk is acceptable due to compensating controls or low business impact:- Open the vulnerability detail page.
- Change the status to Accepted Risk.
- Record the justification, including who approved the acceptance and what compensating controls are in place.
- Set a review date to re-evaluate the acceptance.
Compliance Impact
Vulnerability management is a core requirement across all supported frameworks:| Framework | Relevant Requirements |
|---|---|
| ISO 27001 | A.12.6.1 (Management of technical vulnerabilities) |
| SOC 2 | CC7.1 (Monitoring infrastructure for vulnerabilities) |
| HIPAA | 164.308(a)(1) (Risk analysis), 164.308(a)(5)(ii)(B) (Protection from malicious software) |
| GDPR | Article 32 (Appropriate technical measures) |
| PCI-DSS | Req 6.1 (Identify vulnerabilities), Req 11.2 (Vulnerability scans) |
- No critical vulnerabilities older than SLA threshold — Verifies remediation is happening within defined timeframes
- Vulnerability scanning is active — Confirms scanners are running and covering all in-scope assets
- Vulnerability trends are improving — Tracks whether your overall vulnerability count is decreasing over time
Vulnerability Metrics
The vulnerability dashboard provides key metrics:- Total open vulnerabilities — Count by severity level
- Mean time to remediation — Average days from discovery to resolution
- SLA compliance — Percentage of vulnerabilities resolved within SLA
- Aging analysis — Breakdown of open vulnerabilities by age
- Trend over time — Historical view of vulnerability counts
Auditors frequently request vulnerability metrics as part of their evidence review. LowerPlane generates these reports automatically, so they are always current when you need them.
Best Practices
- Scan continuously, not periodically. Connect scanners that run regularly rather than relying on quarterly assessments.
- Set realistic SLAs. SLAs that are too aggressive lead to risk acceptance overuse. SLAs that are too lenient leave you exposed.
- Track all vulnerabilities, not just critical. Auditors look at your full vulnerability management process, not just critical findings.
- Review accepted risks quarterly. Conditions change. A risk that was acceptable six months ago may no longer be.
- Use vulnerability data in risk assessments. Feed vulnerability trends into your risk register to maintain an accurate risk picture.