# Vulnerability Management Plan

## Scope

Define intake, triage, remediation, and verification for security findings.

## Intake

- Sources: SAST, DAST, dependency scans, bug reports
- Normalization: severity, CVE mapping, affected scope

## SLAs

- Critical: `X days`
- High: `Y days`
- Medium/Low: as planned

## Workflow

1. Create ticket and link to traceability and artifacts
2. Assign owner and due date
3. Fix and verify; attach evidence
4. Close and update reports

## Reporting

- Weekly status and trend lines
- Release gate summary