Skill

vulnerability-management

Enforces vulnerability management and patching for AI software dependencies with CVE triage, response timelines, and SBOM tracking.

security

npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skills

Popularity

Stars

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/prodsec-skills:vulnerability-management

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

AI software projects MUST have a plan to quickly patch and release fixes for new CVEs discovered in their dependencies. Unpatched vulnerabilities in dependencies are one of the most common attack vectors.

SKILL.md

56 lines · ~568 tokens

Similar Skills

vulnerability-management

Manages vulnerability lifecycle: tracks CVEs, scores with CVSS, prioritizes risks using EPSS/KEV, designs remediation workflows, patch management, and disclosure practices.

2 files8 tools

security

audit-dependency-vulnerabilities

Audits third-party dependencies for known vulnerabilities, license issues, and supply chain risks. Guides SBOM generation, automated scanning, triage by CVSS score, and remediation.

grimoire

vulnerability-management-program

Establish vulnerability management program to identify, prioritize, remediate, and track vulnerabilities across infrastructure.

security-operations

Stats

LanguagePython

Stars34

Forks3

MaintenanceExcellent

Last CommitMay 26, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Vulnerability Management

Security Requirement

Vulnerability Management Process

New CVE disclosed → Automated alert (from SCA tool or advisory feed) → Triage: assess severity and exploitability in context → Prioritize: schedule fix based on severity and exposure → Patch: update dependency or apply workaround → Test: verify the fix does not break functionality → Release: publish patched version → Notify: inform users of the security update

Response Timelines

Severity

Target Remediation Window

Critical

30 days from issue creation

Important

60 days from issue creation

Moderate

90 days from issue creation

Low

Best effort / no fixed SLA

Required Capabilities

Capability

Details

Dependency tracking

Know exactly which dependencies are in each release (SBOM)

CVE monitoring

Automated alerts for new CVEs affecting project dependencies

Rapid patching

Ability to quickly update dependencies and release patches

Security advisories

Publish security advisories for affected versions

Backporting

Support patching older, still-supported versions

Implementation Checklist

Subscribe to CVE feeds and advisories for all dependencies

Integrate automated CVE scanning in CI/CD (SCA tools)

Define and document response timelines per severity level

Establish a process for emergency security releases

Publish security advisories for patched vulnerabilities

Maintain an SBOM to quickly identify affected releases

Test patches before releasing (automated regression tests)

Notify users of security updates through established channels