v2.4.0 | Report Errata
docs artefact-taxonomy docs artefact-taxonomy

A11. Vulnerability Management Register Centralised register of all identified security vulnerabilities with severity classification, remediation SLA, current status, and resolution evidence. Fed by SAST (Semgrep), SCA, container scanning (Trivy, Grype, Snyk), and penetration testing results. Critical vulnerabilities unpatched beyond SLA are escalated to the Non-Conformity Register. Responsible party: Security team maintains. Technical SME reviews AI-specific vulnerabilities. Regulations addressed: Article 15 (cybersecurity); CRA Article 11 (vulnerability handling); NIS2 Article 21 (cybersecurity risk management); DORA Article 28 (ICT third-party risk). Key outputs

  • Per-vulnerability SLA-tracked remediation record
  • Escalation to NCR on SLA breach
On This Page