Safeguard.sh Documentation Center

Vulnerability & Exposure Management

Roadmap — a single-pane management layer over the unified findings store, adding a deduplicated risk-ranked backlog, SLA policies, ownership routing, bi-directional ticketing, expiring risk exceptions, campaigns, and metrics.

Vulnerability & Exposure Management

Roadmap — not yet available. VEM is a planned capability documented here for direction. It is a management overlay on findings that ship today; the overlay itself is not yet available.

Vulnerability & Exposure Management is the single-pane orchestration layer planned over the unified findings store. It is explicitly not a scanner — it produces no findings and adds no finding types. It overlays lifecycle, SLA, ownership, ticketing, exception, and reporting workflow on the canonical (AutoTriage-deduped) findings, reusing the existing prioritization, reachability, risk score, and correlation graph rather than recomputing any of them.

Planned capabilities

CapabilityWhat it will do
Unified backlogOne deduplicated, risk-ranked list of remediation items across every finding type, using AutoTriage's priority score, reachability, and correlation grouping (one fix closes many)
SLA policiesDue dates by severity × asset criticality × finding type × environment, with at-risk and breach states and escalation
Ownership routingAuto-route items to the owning team from the asset registry; manual reassignment, audited; per-owner workload views
Bi-directional ticketingJira / ServiceNow / GitHub sync — one ticket per canonical finding group, conflict-resolved and reconciled
Risk exceptionsApproval-gated, expiring, audited risk-acceptance that pauses the SLA clock and reliably re-opens on expiry
CampaignsBounded remediation drives over a saved filter, with burn-down tracking and auto-complete
Metrics & reportingMTTR, aging, burn-down, SLA attainment, reopened-rate, and executive risk reports

Reuse, not recompute (design principle)

The core design constraint is that VEM references shipped outputs and never re-derives them: one AutoTriage, one reachability engine, one risk score, one correlation graph, one connector stack, one findings index. Every VEM entity references a canonical finding group; none copies a finding or extends the finding model. This keeps priority and risk consistent everywhere they appear.

Malware and secrets are never suppressible

A hard guarantee carried over from AutoTriage: no VEM path — SLA de-prioritization, exception activation, or a backlog filter — can ever hide a malware or secrets finding. A shared guard is called before any suppression, and approving a risk exception on a malware group is refused and audited. An expired exception is an enforced invariant: expired-but-still-suppressed count is always zero.

When it ships

VEM will be tenant-scoped and audit-logged, gated by the ff.exposuremgmt feature flag (with sub-flags for ticket sync, campaigns, and exceptions), and surfaced through the app, GPT, CLI, and MCP. Its external-facing counterpart is CTEM & EASM.

On this page