Skills
skills/hack23/homepage/vulnerability-management

vulnerability-management

SKILL.md

Vulnerability Management Skill

Purpose

Provide systematic procedures for proactive vulnerability discovery, intelligent remediation, and transparent security communication across all Hack23 projects, with measurable SLAs aligned with business impact.

Rules

Severity Classification and SLAs

Severity CVSS Score SLA Escalation
Critical 9.0-10.0 7 days CEO immediate
High 7.0-8.9 30 days CEO within 1 day
Medium 4.0-6.9 90 days Weekly review
Low 0.1-3.9 180 days Monthly review

Detection Sources

MUST enable on all repositories:

  • GitHub Dependabot for automated dependency vulnerability alerts
  • GitHub CodeQL for code-level vulnerability scanning
  • GitHub Secret Scanning for credential exposure
  • OWASP Dependency Check (where applicable)

Vulnerability Lifecycle

Phase 1: Discovery

  • MUST enable automated scanning on all repositories
  • MUST process vulnerability alerts within 24 hours of detection

Phase 2: Assessment

  • MUST evaluate CVSS score, exploitability, attack surface, and data exposure
  • MUST consider contextual risk (is the vulnerable component reachable?)
  • MUST document risk assessment for each vulnerability

Phase 3: Remediation

  • MUST prioritize patches and version upgrades as primary remediation
  • MUST create security-prefixed branches for fixes: security/CVE-YYYY-XXXXX
  • MUST include CVE reference and CVSS score in commit messages
  • MUST validate fix with security scanners before merging

Phase 4: Verification

  • MUST confirm vulnerability resolved by security scanner
  • MUST ensure no new vulnerabilities introduced
  • MUST pass all existing tests

Phase 5: Closure

  • MUST document resolution in changelog
  • MUST close associated GitHub Security Advisory
  • MUST conduct lessons-learned for Critical/High severity

Risk Acceptance

Risk acceptance MUST:

  • Be approved by CEO
  • Be valid for maximum 90 days
  • Include documented compensating controls
  • Be tracked in the risk register
  • Be reviewed monthly

Hack23 ISMS Policy References

Compliance Mapping

  • ISO 27001:2022: A.8.8 (Technical Vulnerability Management)
  • NIST CSF 2.0: DE.CM-8 (Vulnerability Scans), ID.RA (Risk Assessment)
  • CIS Controls v8.1: Control 7 (Continuous Vulnerability Management)
  • OWASP Top 10: A06:2021 (Vulnerable and Outdated Components)
Weekly Installs
14
Repository
hack23/homepage
GitHub Stars
5
First Seen
Mar 1, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
cline14
github-copilot14
codex14
kimi-cli14
gemini-cli14
cursor14