Security Vulnerability

Security vulnerability knowledge lives entirely in engineers' heads — someone remembers a CVE was mentioned in a Slack thread last month, but there's no documented process for tracking, triaging, or remediating vulnerabilities.

None — AI has no vulnerability process definitions to follow or enforce.

A general vulnerability management document exists describing severity ratings and remediation expectations, but actual triage depends on who notices the CVE — 'We have a policy, but critical vulns still sit for weeks because nobody enforces the timeline.'

Can reference the policy document but cannot determine whether vulnerabilities are actually following the defined triage and remediation process.

Workflow stages for security vulnerabilities are defined with mandatory transitions — discovery through closure — but CVSS-to-SLA mappings, exception approval criteria, and risk acceptance documentation requirements are not formalized.

Can track security vulnerabilities through workflow stages but cannot enforce SLA compliance based on CVSS severity or manage exception approvals programmatically.

The vulnerability process defines CVSS-to-SLA mappings, exception approval chains, risk acceptance documentation standards, verification requirements, and knowledge base updates that capture remediation patterns for recurring vulnerability classes.

Can enforce SLA compliance by CVSS score, route exception approvals, track risk acceptances, and flag vulnerabilities requiring verification before closure.

Machine-readable policy rules automate security vulnerability lifecycle transitions — CVSS-driven SLA enforcement, automated assignment based on affected component ownership, exception routing with audit trails, and mandatory verification gates.

Can autonomously orchestrate the vulnerability lifecycle — automated triage by CVSS and asset criticality, intelligent assignment, SLA enforcement, and verification coordination.

Adaptive vulnerability process logic adjusts in real time — triage priority recalculates when exploit code appears in the wild, SLA targets tighten for internet-facing assets, and remediation patterns auto-generate playbooks from historical resolution successes.

Can autonomously manage the full security vulnerability lifecycle — discovery, prioritization, assignment, remediation orchestration, and verification — adapting to real-time threat context.

Ceiling of the CMC framework for this dimension.