The organization has defined a process for addressing identified technical vulnerabilities.
Some vulnerabilities can be fixed directly, but vulnerabilities that have a significant impact should also be documented as security incidents. Once a vulnerability with significant impacts has been identified:
We have defined the rules for responding to identified vulnerabilities. The rules may include e.g. the following things:
Vulnerabilities related to high-risk data systems are always of high severity and are addressed first.