In some cases, specific vulnerabilities cannot be fully remediated during the time-to-remediate policy set for that application. To apply extra time to remediate that vulnerability, the Time To Remediate (TTR) date can be extended on specific vulnerabilities.
Initially, a TTR policy applies to the following vulnerability in the Bodgeit application. See that it has 1 day to remediate based on the TTR, but an engineer also added the tag “Compensating Control in Place” as part of their workflow and they want to extend the TTR because of that control.
To extend the days to remediate, they click on the action button on the vulnerability. The last two options allow disabling or extending the TTR for just this vulnerability.
In this case, the engineer wants to properly remediate this issue in a few months, but the compensating control is sufficient for now. They click Change Time To Remediate to extend days to remediate by 120.
Now, the time to remediate for this vulnerability is extended.
ThreadFix remembers the original dates for this vulnerability, including the first TTR date. When the time to remediate is extended, it can always be removed and the original date will return. In this case, the engineer realized they want the vulnerability to be fully remediated in 120 days, not 121. They change this value and it’s reflected on the vulnerability.
All these actions are logged and shown in the history on that vulnerability details page.
Permissions
The Manage Policies permission allows or prevents users access to vulnerability Action items, and to change or disable a TTR on individual vulnerabilities. In the screenshot below this policy is off, which will restrict access to extending or disabling TTR.