| name | vulnerability-management |
| description | Systematic vulnerability lifecycle management with SLAs aligned with OWASP, NIST, and CIS Controls for Node.js/TypeScript |
| license | Apache-2.0 |
Vulnerability Management Skill
Purpose
Systematic procedures for vulnerability discovery, remediation, and tracking in TypeScript/Node.js MCP server projects.
When to Use
- ✅ Analyzing Dependabot alerts
- ✅ Responding to GitHub Security Advisories
- ✅ Triaging CodeQL findings
- ✅ Prioritizing vulnerability remediation
- ✅ Managing SLA compliance for fixes
Severity Classification and SLAs
| Severity | CVSS Score | SLA | Escalation |
|---|
| 🔴 Critical | 9.0-10.0 | 7 days | Immediate |
| 🟠 High | 7.0-8.9 | 30 days | Within 1 day |
| 🟡 Medium | 4.0-6.9 | 90 days | Weekly review |
| 🟢 Low | 0.1-3.9 | 180 days | Monthly review |
Vulnerability Lifecycle
1. Discovery
npm audit
npx knip
2. Assessment
3. Remediation
git checkout -b security/CVE-2024-XXXXX
npm update affected-package
npm install affected-package@patched-version
npm audit
npm test
npm run build
4. Verification
- ✅ npm audit clean
- ✅ All tests pass
- ✅ CodeQL scan clean
- ✅ No regressions
- ✅ Documentation updated
Compliance Mapping
| Framework | Controls |
|---|
| ISO 27001:2022 | A.8.8 - Technical Vulnerability Management |
| NIST CSF 2.0 | DE.CM-8 - Vulnerability scans performed |
| CIS Controls v8 | Control 7 - Continuous Vulnerability Management |
| OWASP Top 10 | A06 - Vulnerable and Outdated Components |
ISMS Policy References
Core policies:
Supporting policies:
Remediation SLAs (CVSS-based)
| Severity | CVSS | Target Fix Window |
|---|
| Critical | 9.0–10.0 | 7 days |
| High | 7.0–8.9 | 30 days |
| Medium | 4.0–6.9 | 90 days |
| Low | 0.1–3.9 | 180 days |