security-vulnerability-management
Security Vulnerability Management
Overview
Use this skill to run vulnerability handling as an evidence-based lifecycle instead of ad hoc ticket triage.
Scope Boundaries
- Vulnerabilities arrive from SAST/DAST/dependency scans, bug bounty, or manual review.
- Teams need severity ranking, SLA targets, and remediation sequencing.
- Fix validation and closure criteria must be standardized.
Templates And Assets
- Vulnerability triage template:
assets/vulnerability-triage-template.csv
Inputs To Gather
- Vulnerability source, technical details, and reproduction evidence.
- Asset criticality, exploitability context, and external exposure.
- Available mitigations, patch options, and rollout constraints.
- Regulatory or contractual remediation time limits.
Deliverables
- Prioritized vulnerability backlog with severity rationale.
- Remediation plan that includes compensating controls when full fixes are delayed.
- Verification evidence for each fixed item.
- Metrics for aging, SLA breach risk, and recurrence patterns.
Workflow
- Normalize intake records and remove duplicates while preserving traceability in
assets/vulnerability-triage-template.csv. - Classify severity using impact, exploitability, and environment exposure.
- Decide remediation path: patch, configuration hardening, feature disablement, or compensating control.
- Assign owner and due date by severity/SLA with explicit escalation path.
- Validate fixes in code and runtime behavior, including regression checks.
- Close only after evidence confirms exploit path is removed or acceptably mitigated.
- Feed recurring classes back into secure coding and architecture guardrails.
Quality Standard
- Severity and priority decisions are explainable and consistent.
- High-risk items have rapid mitigation even before permanent fixes.
- Closure requires objective verification evidence.
- Program metrics expose backlog health and systemic weaknesses.
Failure Conditions
- Stop when critical vulnerabilities have no assigned owner or mitigation path.
- Stop when issues are closed without fix verification evidence.
- Escalate when SLA breach risk is imminent for high-severity items.
More from kentoshimizu/sw-agent-skills
graph-algorithms
Graph algorithm workflow for modeling entities/relations and selecting traversal, path, ordering, or flow strategies. Use when correctness or performance depends on graph representation and algorithm choice; do not use for schema-only modeling or deployment topology planning.
14bash-style-guide
Style, review, and refactoring standards for Bash shell scripting. Trigger when `.sh` files, files with `#!/usr/bin/env bash` or `#!/bin/bash`, or CI workflow blocks with `shell: bash` are created, modified, or reviewed and Bash-specific quality controls (quoting safety, error handling, portability, readability) must be enforced. Do not use for generic POSIX `sh`, PowerShell, or language-specific application style rules. In multi-language pull requests, run together with other applicable `*-style-guide` skills.
11architecture-clean-architecture
Clean Architecture workflow for enforcing dependency direction, stable domain boundaries, and use-case-centered application design. Use when teams must separate business rules from frameworks and delivery mechanisms; do not use for isolated module cleanup without boundary implications.
11powershell-style-guide
Style, review, and refactoring standards for PowerShell scripting. Trigger when `.ps1`, `.psm1`, `.psd1` files, or CI workflow blocks with `shell: pwsh` or `shell: powershell` are created, modified, or reviewed and PowerShell-specific quality controls (error handling, parameter validation, readability, operational safety) must be enforced. Do not use for Bash, generic POSIX `sh`, or language-specific application style rules. In multi-language pull requests, run together with other applicable `*-style-guide` skills.
10github-codeowners-management
Govern CODEOWNERS rules so review routing reflects real ownership and risk boundaries on GitHub. Use when repository ownership mapping or mandatory reviewer rules must be defined, updated, or audited; do not use for non-GitHub runtime architecture or data-layer design.
9security-authentication
Security workflow for authentication architecture, credential lifecycle, and session/token assurance. Use when login, identity proofing, MFA, or session security decisions are required; do not use for authorization policy design or non-security quality tuning.
9