Vulnerability
Identification

• Out of Scope
• Pentesting
• Security Assess-

• PSIRT responsible for red teaming
• PSIRT-audit role:
+ CIS

Dependency-Track (DT)
SBOM scans

• DT/FOSSA
• FOSSA

Everyday illicit incidents

• Deduplicate
• Validate true/false positives
• Severity Classification

Remediation
• Create remediation task
- SBOM | License issues | FOSSA
• Assignment & Tracking

PSIRT

PSIRT-Audit

CIS

• Track exceptions in DefectDojo

• Prepare exception justification, CIS or EU-CRA

Issue ✔️
Time-bound exception

DefectDojo
(Central Vulnerabilities, Servicefect ID)

Ensuring auditability (proof & reporting)
• Creating playbooks for repeat issues

✓ Accepted remediation task
• Vulnerabilities
• Severity/Affected Cn
• Timestamp audit trail

Remediation required?

Create reremediation task
+ Defect ID, severity

• Create remediation task with defect ID, severity

Exception needed?
• Fix removes the vulnerability
• SBOM updated
• DefectDojo CLOSED

Reporting and Auditability
• Aging reports
• SLA tracking
• Evidence collection
• Reports for CRA audits

Exception needed?
• Aging reports in DefectDojo
• SLA tracking
• Evidence collection
• Reports for CRA audits

Track exceptions in DefectDojo

Exception Approval
• CIS or compliance
• Decision

TRUSTED
REPOSITORY

• SBOM, SBOM after fixes