SLA Policy

HarborGuard enforces a per-severity remediation SLA that determines when an open vulnerability counts as breached. The SLA is part of your compliance policy and applies to every open finding across the organization.

Defaults

Severity	Default SLA
Critical	1 day
High	3 days
Medium	7 days
Low	14 days

The platform requires the deadlines to be strictly increasing — critical < high < medium < low — so you cannot accidentally configure a policy where a Medium vulnerability has less time than a Critical one. The low tier may be set to null to opt out of tracking Low SLAs.

Each tier is bounded between 1 and 365 days.

How the deadline is computed

When a vulnerability is detected, HarborGuard records timeline.detectedAt. With autoSlaDeadline enabled (the default) the deadline is:

triage.slaDeadline = timeline.detectedAt + slaPolicy[severity]

If you change the SLA policy, an opt-in backfill recomputes deadlines for every open vulnerability — toggle Backfill open vulnerabilities when saving the policy.

Events

HarborGuard fires two compliance events tied to SLA:

Event	Fired when
`sla_warning`	An open finding will breach in the next `slaBreachLeadTimeDays` days (default 3).
`sla_breach`	An open finding's deadline has passed and it is still in `OPEN`, `ACKNOWLEDGED`, or `IN_PROGRESS`.

Each event is dispatched to the channel list configured in Policy → Notifications routing:

{
  "notifications": {
    "sla_breach": ["chan_slack_secops", "chan_pagerduty_oncall"],
    "sla_warning": ["chan_slack_secops"],
    "slaBreachLeadTimeDays": 3
  }
}

Updating the policy

curl -X PUT \
  -H "Authorization: Bearer $HG_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "slaPolicy": { "critical": 1, "high": 3, "medium": 7, "low": 14 },
    "backfillOnSave": true
  }' \
  "https://harborguard.co/api/organization/compliance-policy"

PUT /api/organization/compliance-policy requires the admin role. The endpoint records an organization.policy_updated audit event with a diff of every changed field.

Excluding suppressed findings

Findings covered by an active attestation are not counted toward SLA breach metrics. Once the attestation expires, the finding re-opens and its deadline is recomputed from the original detection date — meaning long-expired attestations may immediately surface as breaches. Plan attestation expiry dates accordingly.

Some frameworks impose minimum SLAs (PCI DSS, HIPAA). The policy editor surfaces a warning when your configured SLA is laxer than a framework floor, but does not block the save — your audit team should review.

Defaults

How the deadline is computed

Events

Updating the policy

Excluding suppressed findings

See also

On this page