VAPT Remediation Tracking SOP
Process for tracking and remediating VAPT findings
VAPT Remediation Tracking
| Field | Value |
|---|---|
| Document ID | SOP-008 |
| Classification | Internal |
| Owner | SRE + Compliance |
| Effective Date | April 2026 |
| Review Cycle | Semi-Annual |
Owner: CTO / DevOps | Review: Annual | Effective: April 2026
Purpose
Process for tracking, fixing, and verifying closure of vulnerabilities found during VAPT.
Scope
Covers all vulnerabilities identified from VAPT β infrastructure scans, cloud config reviews, mobile and API assessments.
Fix Timelines
| Severity | Fix Deadline | Re-Test |
|---|---|---|
| Critical | 15 days | 1 week after fix |
| High | 30 days | 2 weeks after fix |
| Medium | 60 days | Next VAPT cycle |
| Low | 90 days | Next VAPT cycle |
Timelines start from the date the VAPT report is accepted.
Workflow
- VAPT report accepted by CTO
- Triage β CTO + DevOps review findings, validate true positives, dispute false positives
- Assign owners within 48 hours (for Critical/High)
- Fix β Engineer develops fix β code review β deploy to staging β verify β deploy to production
- Re-test β VAPT vendor re-tests Critical/High fixes
- Close β Re-test passed β finding marked closed
- Re-open β Re-test failed β back to step 4, same timelines apply
Remediation Tracker
Track each finding with:
- Finding ID, title, severity
- Affected asset
- Assigned to, assigned date
- Deadline
- Status (Open / In Progress / Fix Deployed / Re-Test Pending / Closed / Risk Accepted)
- Fix description and PR/commit link
- Re-test result and date
Location: Plane Engineering Board for task tracking.
Risk Acceptance
When a fix is not feasible within the deadline:
- Document the reason and compensating controls in place
- Get approval:
- Critical β CTO + CEO
- High β CTO
- Medium/Low β DevOps + CTO
- Risk acceptance reviewed every 6 months
- Compensating controls monitored until permanent fix is deployed
Escalation
| Days Past Deadline | Action |
|---|---|
| Due date | Reminder to assigned engineer |
| +3 days | DevOps follows up |
| +7 days | Escalate to Engineering Lead |
| +14 days | CTO involved |
| +21 days | CTO β CEO (Critical/High) |
Reporting
- Weekly (until Critical/High closed) β Open findings, deadline status, fixes deployed, blockers
- Monthly β Open vs closed, compliance rate, trends
- Annual β Board/auditor report with full VAPT summary and remediation stats
Closure Criteria
A finding is closed when:
- VAPT vendor re-test confirms fix (Critical/High)
- Internal verification confirms fix (Medium/Low)
- Tracker updated with fix details and re-test result
Roles
| Role | Responsibility |
|---|---|
| CTO | Accountability, deadline enforcement, risk acceptance |
| DevOps | Triage, tracking, re-test coordination |
| Engineering | Code fixes, verification |
| VAPT Vendor | Re-testing, reports |
Contact: security@wealthy.in