As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

In some cases, specific vulnerabilities cannot be fully remediated during the time-to-remediate policy set for that application. To apply extra time to remediate that vulnerability, the Time To Remediate (TTR) date can be extended on specific vulnerabilities.

Initially, a TTR policy applies to the following vulnerability in the Bodgeit application. See that it has 1 day to remediate based on the TTR, but an engineer also added the tag “Compensating Control in Place” as part of their workflow and they want to extend the TTR because of that control.

To extend the days to remediate, they click on the action button on the vulnerability. The last two options allow disabling or extending the TTR for just this vulnerability.

In this case, the engineer wants to properly remediate this issue in a few months, but the compensating control is sufficient for now. They click Change Time To Remediate to extend days to remediate by 120.

Now, the time to remediate for this vulnerability is extended.

ThreadFix remembers the original dates for this vulnerability, including the first TTR date. When the time to remediate is extended, it can always be removed and the original date will return. In this case, the engineer realized they want the vulnerability to be fully remediated in 120 days, not 121. They change this value and it’s reflected on the vulnerability.

All these actions are logged and shown in the history on that vulnerability details page.

Permissions

The Manage Policies permission allows or prevents users access to vulnerability Action items, and to change or disable a TTR on individual vulnerabilities. In the screenshot below this policy is off, which will restrict access to extending or disabling TTR.

  • No labels