This document describes the process for requesting, approving, and tracking security exceptions.
Request an exception when:
- A security gate blocks deployment but business requires immediate action
- A vulnerability cannot be remediated within standard SLA
- A legacy system requires temporary non-compliance
- A false positive requires time to investigate
Do NOT use exceptions to:
- Bypass security permanently
- Avoid fixing known vulnerabilities
- Skip required approvals
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ 1. Request │────▶│ 2. Review │────▶│ 3. Approval │
│ Create PR with │ │ Security team │ │ Merge PR with │
│ exception doc │ │ assesses risk │ │ approval │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│
▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ 6. Close │◀────│ 5. Monitor │◀────│ 4. Implement │
│ Remove or │ │ Track during │ │ Apply │
│ renew │ │ exception │ │ compensating │
└─────────────────┘ └─────────────────┘ └─────────────────┘
- Copy the exception template
- Fill in all required fields
- Save as
EXC-XXX-short-description.mdinsecurity/exceptions/ - Create a pull request
- Summary: One-sentence description
- Justification: Why the exception is needed
- Risk assessment: Impact if exploited
- Compensating controls: Mitigations in place
- Remediation plan: How and when it will be fixed
- Expiration date: Maximum 90 days
Security team will:
- Assess the risk level
- Evaluate compensating controls
- Verify remediation plan is realistic
- Request additional information if needed
| Risk Level | Review Time |
|---|---|
| Critical | 4 hours |
| High | 1 business day |
| Medium | 3 business days |
| Low | 5 business days |
Approval authority by risk level:
| Risk Level | Approver |
|---|---|
| Critical | CISO + VP Engineering |
| High | Security Lead + Engineering Manager |
| Medium | Security Team Member |
| Low | Security Team Member |
Approval is recorded via PR approval and merge.
Before the exception is active:
- Implement all stated compensating controls
- Enable additional monitoring if required
- Document control implementation
During the exception period:
- Security team reviews status weekly
- Remediation progress is tracked
- Any incidents are linked to the exception
At expiration:
- Verify the fix is in place
- Remove or archive the exception document
- Close any related tracking issues
- Create a new exception request (new PR)
- Explain why original timeline was not met
- Provide updated remediation plan
- Maximum 2 renewals (then escalation required)
| Constraint | Limit |
|---|---|
| Maximum duration | 90 days |
| Maximum renewals | 2 |
| Critical exceptions in production | 0 (requires escalation) |
All exceptions are tracked in Git:
- Creation: PR opened
- Approval: PR approved and merged
- Modification: Commits to exception file
- Closure: File removed or archived
This provides complete audit history for compliance reviews.
Escalate to CISO if:
- Exception renewal denied but business still blocked
- Critical vulnerability requires production exception
- Exception request rejected but team disagrees
- Compensating controls cannot be implemented
See examples/ for sample exception requests.