All Vulnerabilities in SecurityCenter
- Don't accept/recast risk for Critical vulnerabilities that are also Exploitable without first discussing with the security team for approval.
- Should always either remediate, accept, or recast critical Critical and high High vulnerabilities.
- If you are going to Accept or Recast Risk, comments and expiration date (reasonable length no longer than a year) are always mandatory.
- "No known exploits" is not a valid reason by itself for accepted or recast risk (an exploit could come out tomorrow).
- No need to accept/recast risk if Low severity (or lower).
...