Operating Guidelines for Device Vulnerability Management

1. Define the project scope

Create one Vulnerability Management Project per product line or managed device family. Assign ownership roles early (Owner, Member, Observer) and define policy timelines for triage and closure.

2. Build an accurate Device Model

Identify all Processing Units and their execution environments. For each unit, capture hardware type, system type, interfaces, and vendor/part identifiers. Then generate HBOM and SBOM with ARIANNA tools.

• HBOM: usually stable, updated on hardware revision.
• SBOM: updated on every firmware/software release.

3. Run continuous monitoring daily

Enable daily report generation and review newly identified vulnerabilities. Use report sections (Overview, Device Model, Vulnerabilities, Highlights) to track exposure trends and workload.

4. Apply standardized triage workflow

1. Move new findings from UNMANAGED to IN TRIAGE.
2. Validate applicability in device context.
3. Set risk and management strategy (IN PROGRESS, PLANNED UPDATE, PLANNED PATCH, ACCEPTED, NOT APPLICABLE).
4. Document decisions with notes and action history.

5. Prioritize by risk and exploitability

Do not rely on severity alone. Use ARIANNA pre-triage signals (KEV, EPSS, exploit maturity, attack vector) to focus teams on issues with the highest real-world likelihood and business impact.

6. Manage model/version lifecycle

On each release, create a new Device Model version linked to the previous one. ARIANNA will preserve context, notify new vulnerabilities, and automatically close findings when vulnerable components are removed or updated.

7. Enforce policy and deadlines

Use policy-based remediation timelines by risk class. Review Expiring and Expired highlights regularly to prevent SLA drift and audit findings.

8. Export audit-ready evidence

Export technical and management views in CycloneDX, SPDX, VEX, or PDF. Use these outputs for customer communication, internal governance, and regulatory evidence.

9. Integrate with CI/CD

Automate SCA execution, model uploads, and report generation in the release pipeline. Route high-priority findings to triage queues immediately after each build or release event.

10. Review maturity quarterly

Track operational KPIs: open/closed trend, mean age of open vulnerabilities, percentage within policy deadlines, and closure reasons. Use these metrics to tune prioritization rules and staffing.