Identified vulnerabilities in applications MUST generally be remediated quickly and causative. In case root case remediation should require a significant amount of time and the risk posed by the vulnerability is also significant, temporary measures (e.g. workarounds) SHOULD be implemented to reduce the exploitability as soon as possible until the actual root cause is fixed. Such remediation MUST always be considered as a temporary measure.
1. In respect of external (e.g. Internet-facing) applications, the following requirements define the point of time until a vulnerability MUST be corrected, or its exploitability prevented latest:
...
Table 2-1: Requirements for Vulnerability Remediation for External Applications
2. In respect of internal applications, the following requirements define the point of time until a vulnerability MUST be remediated if possible or at least its exploitability prevented:
...
Table 2-2: Requirements for Vulnerability Remediation for Internal Applications
3. In respect of newly developed applications: Confirmed vulnerabilities with CVSS[1] v3 score >= 7.0 (or >= “high” rating) MUST NOT be used in production. Confirmed vulnerabilities findings with CVSS v3 Score >= 6.0 (or > “medium” rating) SHOULD NOT be used in production without proper verification.
...
[1] day = calendar day
[2] CVSS = Common Vulnerability Scoring System (CVSS) v3, https://www.first.org/cvss