Define a target remediation timeframe depending on severity, quickly identify overdue reports, and track the compliance of such engagement over time.
In the platform's Admin Panel, at the program level (for Bug Bounty, PTM, or VDP), you can configure a Service Level Agreement (SLA) for remediation in days by editing the program. For each severity level, you can specify the expected time for a vulnerability to be remediated.
When enabled, it automatically computes a "due date" based on each report's acceptance date (status "Accepted"). The remediation (status "Resolved") must be completed before this due date otherwise; the report will be considered "overdue". SLAs are applied to each report according to the policy configured, when the report has been created.
In the Vulnerability Center, the SLA column displays an icon, indicating if the report is overdue (red) or on time (black). The Vulnerability Center table can be filtered to display only "on time" or "overdue" reports.
If it displays a dash "-", it means that no SLA were enabled when the report was created, that the report is not valid and remains open (from the "Accepted" status), or that there is no value has been set for this report's CVSS.
In the Report view, the due date is also displayed in the top-right corner of the report.
With the SLA feature, keep an eye on your vulnerability reports so that remediations can be applied within the deadlines defined by your organisation.