Skip to content
All Skills

Building Vulnerability Exception Tracking System

Build a vulnerability exception and risk acceptance tracking system with approval workflows, compensating controls documentation, and expiration management.

Security & Compliance|v1|Updated 7/2/2026|GitHub source
MCP get_skill({ skillId: "building-vulnerability-exception-tracking-system-b8a374df" })

Use this skill with your agent

Create a free account and connect via MCP

Get Started Free
# Building Vulnerability Exception Tracking System

## Overview

A vulnerability exception tracking system manages cases where vulnerabilities cannot be remediated within SLA timelines. It provides structured workflows for requesting exceptions, documenting compensating controls, obtaining risk acceptance approvals, and automatically expiring exceptions when their validity period ends. This ensures organizations maintain visibility into accepted risks while complying with frameworks like PCI DSS, SOC 2, and NIST CSF.


## When to Use

- When deploying or configuring building vulnerability exception tracking system capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation

## Prerequisites

- Python 3.9+ with `flask`, `sqlalchemy`, `requests`, `jinja2`
- PostgreSQL or SQLite database
- Email/Slack integration for approval notifications
- Vulnerability management platform API (DefectDojo, Qualys, Tenable)

## Exception Request Workflow

### Exception Categories
| Category | Description | Max Duration | Approver Level |
|----------|------------|-------------|----------------|
| Remediation Delay | Patch available but deployment blocked | 30 days | Team Lead + Security |
| No Fix Available | Vendor has not released a patch | 90 days | Security Director |
| Business Critical | System cannot be patched without outage | 60 days | VP Engineering + CISO |
| False Positive | Finding is not a real vulnerability | Permanent | Security Analyst |
| Compensating Control | Alternative mitigation in place | 180 days | Security Architect |

### Required Fields for Exception Request

```python
exception_schema = {
    "cve_id": "CVE-2024-XXXX",
    "finding_id": "unique-finding-reference",
    "asset_hostname": "prod-db-01.corp.local",
    "severity": "high",
    "cvss_score": 8.1,
    "category": "remediation_delay",
    "justification": "Database upgrade required before patch can be applied",
    "compensating_controls": [
        "WAF rule blocking exploit pattern deployed",
        "Network segmentation restricting access to trusted VLANs only",
        "Enhanced monitoring via Splunk alert for exploitation indicators"
    ],
    "requested_expiration": "2024-06-15",
    "requestor_email": "[email protected]",

Continue reading

Sign up for a free account to view the full skill content

Login / Register
#mukul-cybersecurity-skills#security#cybersecurity#vulnerability#managementpython
Building Vulnerability Exception Tracking System - AgentArmory Skill — AgentArmory