figma guide
Designing vulnerability management and penetration test findings UI in Figma: severity, remediation, and handoff
Design vulnerability management and pentest findings UI in Figma with finding queues, severity tiers, remediation SLAs, owner assignment, and Dev Mode specs for enterprise Security admin.
- Published
- Updated
- Jul 19, 2026
- Read time
- 7 min
- Level
- Intermediate
Quick answer
Vulnerability management UI helps Security teams track findings from pentests, scanners, and bug bounty—prioritize by severity, assign owners, and prove remediation before the next audit. Design a finding queue with CVSS/severity, source (pentest, SAST, bounty); detail drawer with repro steps, affected assets, and evidence; remediation workflow with SLA countdown and status (Open / In progress / Fixed / Accepted risk); pentest report import view; and posture linkage when critical findings remain open. Start from the Figma guides hub and pair with incident runbooks, security posture, audit log, vendor risk, and Dev Mode handoff.
Who this is for
- Product designers building finding queues, pentest report views, and remediation dashboards for enterprise Security admin.
- Design system teams aligning severity badges with badges, progress indicators, and tables.
- Engineers implementing finding schemas, SLA timers, status transitions, and integration with Jira or internal ticketing.
Finding queue layout
| Column | Content |
|---|---|
| ID | VULN-1042 |
| Title | IDOR on export endpoint |
| Severity | Critical / High / Medium / Low / Info |
| Source | Pentest Q2 · SAST · Bug bounty |
| Asset | api.acme.com / Admin console |
| Status | Open / In progress / Fixed / Accepted risk |
| Owner | @eng-security |
| SLA | Due in 3 days · Overdue 5 days |
FindingQueue
├── Header: Vulnerabilities · [ Import pentest ] [ Export register ] [ New finding ]
├── Summary: 4 Critical · 12 High · 28 Medium · SLA breach: 3
├── Filters: Severity · Status · Source · Asset · Overdue
└── Row: VULN-1042 · IDOR export · Critical · Pentest · Open · Due 3d
Verdict: default sort by severity × SLA urgency, not alphabetical title—admins triage what burns first.
Finding detail drawer
FindingDetailDrawer
├── Header: VULN-1042 · Critical · IDOR on member export endpoint
├── Tabs: Overview · Repro · Evidence · Remediation · History
├── Overview: CVSS 9.1 · CWE-639 · Discovered 2026-07-01
├── Asset: api.acme.com/v1/members/export · Auth: Member token
├── Owner: @eng-security · Reporter: External pentest firm
├── SLA: Fix by 2026-07-08 (Critical = 7 days)
└── Actions: [ Assign ] [ Mark in progress ] [ Request exception ] [ Link ticket ]
| Zone | Purpose |
|---|---|
| Overview | Severity, CWE/CVE, discovery date, source report |
| Repro | Step-by-step for engineers (code snippet, request/response) |
| Evidence | Screenshots, scanner output, pentest PDF excerpt |
| Remediation | Fix description, PR link, retest result |
| History | Status changes, SLA extensions, accepted-risk approvals |
Use accordions for long repro steps; code-style text for request samples in Dev Mode specs.
Severity and SLA matrix
Transparent SLAs—not ad hoc “fix when you can”:
| Severity | Default SLA | Escalation |
|---|---|---|
| Critical | 7 days | P1 page + Owner notify at 48h |
| High | 30 days | Security Admin weekly review |
| Medium | 90 days | Quarterly posture review |
| Low | 180 days | Backlog grooming |
| Info | No SLA | Document only |
SLAIndicator
├── Critical · Due 2026-07-08 · 3 days left
├── ████████░░ 71% of SLA elapsed
└── At 100%: Overdue badge + posture gap + optional [incident runbook](/designing-incident-response-runbooks-and-security-playbooks-ui-in-figma/)
Accepted risk requires Security Admin + optional Owner approval with expiry date—not a silent “won’t fix” dropdown.
Remediation workflow states
StatusFlow: Open → In progress → Fixed (pending verify) → Verified closed
↘ Accepted risk (with approval + expiry)
↘ Duplicate / False positive
| Status | UI treatment |
|---|---|
| Open | Red/amber severity badge, SLA timer active |
| In progress | Owner avatar, linked ticket/PR |
| Fixed (pending verify) | “Awaiting retest” badge, pentester assign |
| Verified closed | Green check, closed date, retest evidence |
| Accepted risk | Warning badge, expiry date, approver name |
RemediationTab
├── Status: In progress · Owner: @eng-security
├── Linked: JIRA-8821 · PR #441 merged 2026-07-05
├── Fix notes: Added org-scoped authorization check on export
├── Retest: Pending · Assigned to pentest firm
└── [ Mark fixed ] [ Upload retest evidence ] [ Reopen ]
Fixed without verification should not auto-close—common audit finding when teams self-close criticals.
Pentest report import view
Quarterly external pentests arrive as PDF + spreadsheet—admin UI should ingest, not retype:
| Import field | Maps to |
|---|---|
| Report metadata | Vendor, date, scope, tester firm |
| Finding rows | Title, severity, asset, CWE, description |
| Bulk create | Preview table before import |
| Dedup | Match existing open findings by CWE + asset |
PentestImportWizard
├── Step 1: Upload report (PDF + CSV findings)
├── Step 2: Map columns · Preview 23 new · 4 duplicates
├── Step 3: Set default owner team · SLA inherits severity
└── [ Import findings ] [ Cancel ]
Link pentest vendor to vendor risk assessment if same firm—one vendor record, multiple report imports over time.
Posture dashboard and open criticals
Open Critical/High findings surface on security posture dashboard:
| Gap type | Example |
|---|---|
| SLA breach | 3 Critical past due |
| Unassigned Critical | VULN-1048 no owner 48h |
| Accepted risk expiring | 2 exceptions expire this month |
| Retest overdue | Fixed items not verified 14+ days |
PostureGapCard — Vulnerabilities
├── 3 Critical SLA breaches · Blocks "green" posture score
├── Oldest: VULN-1021 · IDOR · 12 days overdue
└── [ View queue filtered ] [ Start remediation runbook ]
Optional link to incident runbook when active exploitation suspected—not every finding needs live incident mode.
Comparison: vulnerability finding vs incident vs vendor risk
| Surface | Question answered |
|---|---|
| Vulnerability finding | ”What weakness exists and is it fixed?” |
| Incident runbook | ”Something bad is happening now—what do we do?” |
| Vendor risk | ”Is this third party trustworthy?” |
A pentest finding on a third-party app may spawn both a VULN record and vendor re-review—show cross-links, not duplicate queues.
Common mistakes
| Mistake | Why it hurts | Fix |
|---|---|---|
| Flat list without severity sort | Criticals buried under noise | Default sort severity × SLA |
| Self-close without retest | Audit failure on “fixed” criticals | Verified closed state + evidence |
| No SLA visibility | Fixes slip indefinitely | Countdown + overdue posture gap |
| Accepted risk without expiry | Permanent exceptions | Approval + expiry + renewal review |
| Pentest PDF only—no structured import | Findings lost in email | CSV import wizard |
| Finding decoupled from asset | Can’t prioritize by blast radius | Asset/service field required |
| Same UI as member bug report | Wrong workflow and permissions | Admin-only Security queue |
| No link to audit log | Can’t prove remediation timeline | Log status transitions |
| Duplicate findings from scanner + pentest | Double work | Dedup on import |
| Critical without owner auto-assign | Sits unowned 48h | Default owner team + escalation |
Recommended workflow
- Design finding queue with severity, source, SLA, and status filters.
- Build detail drawer with repro, evidence, and remediation tabs.
- Add SLA matrix with visual countdown and overdue treatment.
- Create remediation state machine including verified closed and accepted risk.
- Build pentest import wizard with dedup preview.
- Wire open criticals to security posture gaps.
- Annotate status transitions and audit events in Dev Mode.
FAQ
CVSS score required on every finding?
Recommended for Critical/High—Medium/Low can use simplified severity with optional CVSS; pentest imports often include scores.
Integrate with Jira or internal tickets?
Yes—linked ticket field on remediation tab; status can sync or stay manual with deep link.
Bug bounty vs pentest in same queue?
Same queue, different source tag—filter by source; bounty may need reporter alias field for privacy.
Link to API keys findings?
Asset field can reference “token leak in logs”—cross-link if finding involves exposed credentials.
Export for SOC2 vulnerability management evidence?
Finding register export via compliance export—open/closed counts, SLA compliance, accepted risks with approvers.
Next steps
- Design incident response runbooks and security playbooks UI in Figma — active exploitation playbook
- Design security posture dashboard and compliance checklist UI in Figma — open critical gaps
- Design vendor risk assessment and third-party security reviews UI in Figma — pentest vendor linkage
- Design audit log and security activity UI in Figma — remediation timeline proof
- Design compliance exports and legal hold UI in Figma — finding register for auditors
§ Keep reading