figma guide

Designing vulnerability management and penetration test findings UI in Figma: severity, remediation, and handoff

Design vulnerability management and pentest findings UI in Figma with finding queues, severity tiers, remediation SLAs, owner assignment, and Dev Mode specs for enterprise Security admin.

Published
Updated
Jul 19, 2026
Read time
7 min
Level
Intermediate

Quick answer

Vulnerability management UI helps Security teams track findings from pentests, scanners, and bug bounty—prioritize by severity, assign owners, and prove remediation before the next audit. Design a finding queue with CVSS/severity, source (pentest, SAST, bounty); detail drawer with repro steps, affected assets, and evidence; remediation workflow with SLA countdown and status (Open / In progress / Fixed / Accepted risk); pentest report import view; and posture linkage when critical findings remain open. Start from the Figma guides hub and pair with incident runbooks, security posture, audit log, vendor risk, and Dev Mode handoff.


Who this is for

  • Product designers building finding queues, pentest report views, and remediation dashboards for enterprise Security admin.
  • Design system teams aligning severity badges with badges, progress indicators, and tables.
  • Engineers implementing finding schemas, SLA timers, status transitions, and integration with Jira or internal ticketing.

Finding queue layout

ColumnContent
IDVULN-1042
TitleIDOR on export endpoint
SeverityCritical / High / Medium / Low / Info
SourcePentest Q2 · SAST · Bug bounty
Assetapi.acme.com / Admin console
StatusOpen / In progress / Fixed / Accepted risk
Owner@eng-security
SLADue in 3 days · Overdue 5 days
FindingQueue
├── Header: Vulnerabilities · [ Import pentest ] [ Export register ] [ New finding ]
├── Summary: 4 Critical · 12 High · 28 Medium · SLA breach: 3
├── Filters: Severity · Status · Source · Asset · Overdue
└── Row: VULN-1042 · IDOR export · Critical · Pentest · Open · Due 3d

Verdict: default sort by severity × SLA urgency, not alphabetical title—admins triage what burns first.


Finding detail drawer

FindingDetailDrawer
├── Header: VULN-1042 · Critical · IDOR on member export endpoint
├── Tabs: Overview · Repro · Evidence · Remediation · History
├── Overview: CVSS 9.1 · CWE-639 · Discovered 2026-07-01
├── Asset: api.acme.com/v1/members/export · Auth: Member token
├── Owner: @eng-security · Reporter: External pentest firm
├── SLA: Fix by 2026-07-08 (Critical = 7 days)
└── Actions: [ Assign ] [ Mark in progress ] [ Request exception ] [ Link ticket ]
ZonePurpose
OverviewSeverity, CWE/CVE, discovery date, source report
ReproStep-by-step for engineers (code snippet, request/response)
EvidenceScreenshots, scanner output, pentest PDF excerpt
RemediationFix description, PR link, retest result
HistoryStatus changes, SLA extensions, accepted-risk approvals

Use accordions for long repro steps; code-style text for request samples in Dev Mode specs.


Severity and SLA matrix

Transparent SLAs—not ad hoc “fix when you can”:

SeverityDefault SLAEscalation
Critical7 daysP1 page + Owner notify at 48h
High30 daysSecurity Admin weekly review
Medium90 daysQuarterly posture review
Low180 daysBacklog grooming
InfoNo SLADocument only
SLAIndicator
├── Critical · Due 2026-07-08 · 3 days left
├── ████████░░ 71% of SLA elapsed
└── At 100%: Overdue badge + posture gap + optional [incident runbook](/designing-incident-response-runbooks-and-security-playbooks-ui-in-figma/)

Accepted risk requires Security Admin + optional Owner approval with expiry date—not a silent “won’t fix” dropdown.


Remediation workflow states

StatusFlow: Open → In progress → Fixed (pending verify) → Verified closed
                    ↘ Accepted risk (with approval + expiry)
                    ↘ Duplicate / False positive
StatusUI treatment
OpenRed/amber severity badge, SLA timer active
In progressOwner avatar, linked ticket/PR
Fixed (pending verify)“Awaiting retest” badge, pentester assign
Verified closedGreen check, closed date, retest evidence
Accepted riskWarning badge, expiry date, approver name
RemediationTab
├── Status: In progress · Owner: @eng-security
├── Linked: JIRA-8821 · PR #441 merged 2026-07-05
├── Fix notes: Added org-scoped authorization check on export
├── Retest: Pending · Assigned to pentest firm
└── [ Mark fixed ] [ Upload retest evidence ] [ Reopen ]

Fixed without verification should not auto-close—common audit finding when teams self-close criticals.


Pentest report import view

Quarterly external pentests arrive as PDF + spreadsheet—admin UI should ingest, not retype:

Import fieldMaps to
Report metadataVendor, date, scope, tester firm
Finding rowsTitle, severity, asset, CWE, description
Bulk createPreview table before import
DedupMatch existing open findings by CWE + asset
PentestImportWizard
├── Step 1: Upload report (PDF + CSV findings)
├── Step 2: Map columns · Preview 23 new · 4 duplicates
├── Step 3: Set default owner team · SLA inherits severity
└── [ Import findings ] [ Cancel ]

Link pentest vendor to vendor risk assessment if same firm—one vendor record, multiple report imports over time.


Posture dashboard and open criticals

Open Critical/High findings surface on security posture dashboard:

Gap typeExample
SLA breach3 Critical past due
Unassigned CriticalVULN-1048 no owner 48h
Accepted risk expiring2 exceptions expire this month
Retest overdueFixed items not verified 14+ days
PostureGapCard — Vulnerabilities
├── 3 Critical SLA breaches · Blocks "green" posture score
├── Oldest: VULN-1021 · IDOR · 12 days overdue
└── [ View queue filtered ] [ Start remediation runbook ]

Optional link to incident runbook when active exploitation suspected—not every finding needs live incident mode.


Comparison: vulnerability finding vs incident vs vendor risk

SurfaceQuestion answered
Vulnerability finding”What weakness exists and is it fixed?”
Incident runbook”Something bad is happening now—what do we do?”
Vendor risk”Is this third party trustworthy?”

A pentest finding on a third-party app may spawn both a VULN record and vendor re-review—show cross-links, not duplicate queues.


Common mistakes

MistakeWhy it hurtsFix
Flat list without severity sortCriticals buried under noiseDefault sort severity × SLA
Self-close without retestAudit failure on “fixed” criticalsVerified closed state + evidence
No SLA visibilityFixes slip indefinitelyCountdown + overdue posture gap
Accepted risk without expiryPermanent exceptionsApproval + expiry + renewal review
Pentest PDF only—no structured importFindings lost in emailCSV import wizard
Finding decoupled from assetCan’t prioritize by blast radiusAsset/service field required
Same UI as member bug reportWrong workflow and permissionsAdmin-only Security queue
No link to audit logCan’t prove remediation timelineLog status transitions
Duplicate findings from scanner + pentestDouble workDedup on import
Critical without owner auto-assignSits unowned 48hDefault owner team + escalation

  1. Design finding queue with severity, source, SLA, and status filters.
  2. Build detail drawer with repro, evidence, and remediation tabs.
  3. Add SLA matrix with visual countdown and overdue treatment.
  4. Create remediation state machine including verified closed and accepted risk.
  5. Build pentest import wizard with dedup preview.
  6. Wire open criticals to security posture gaps.
  7. Annotate status transitions and audit events in Dev Mode.

FAQ

CVSS score required on every finding?

Recommended for Critical/High—Medium/Low can use simplified severity with optional CVSS; pentest imports often include scores.

Integrate with Jira or internal tickets?

Yes—linked ticket field on remediation tab; status can sync or stay manual with deep link.

Bug bounty vs pentest in same queue?

Same queue, different source tag—filter by source; bounty may need reporter alias field for privacy.

Asset field can reference “token leak in logs”—cross-link if finding involves exposed credentials.

Export for SOC2 vulnerability management evidence?

Finding register export via compliance export—open/closed counts, SLA compliance, accepted risks with approvers.


Next steps

Share on X

§ Keep reading

Related guides.