Identified vulnerabilities in applications MUST generally be remediated quickly and causative. In case root case remediation should require a significant amount of time and the risk posed by the vulnerability is also significant, temporary measures (e.g. workarounds) SHOULD be implemented to reduce the exploitability as soon as possible until the actual root cause is fixed. Such remediation MUST always be considered as a temporary measure.
1. In respect of external (e.g. Internet-facing) applications, the following requirements define the point of time until a vulnerability MUST be corrected, or its exploitability prevented latest:
...
Table 2-1: Requirements for Vulnerability Remediation for External ApplicationsApplication
2. In respect of internal applications, the following requirements define the point of time until a vulnerability MUST be remediated if possible or at least its exploitability prevented:
...
Table 2-2: Requirements for Vulnerability Remediation for Internal Applications
3. In respect of newly developed applications:
Confirmed vulnerabilities with CVSS[1] v3 score >= 7.0 (or >= “high” rating) MUST NOT be used in production. Confirmed vulnerabilities findings with CVSS v3 Score >= 6.0 (or > “medium” rating) SHOULD NOT be used in production without proper verification.
Teams MAY refine a CVSS Base Score by evaluating its CVSS Environmental Score and thereby taken aspects like its classification or accessibility into account.
When a score is refined the respected CVSS vector MUST be documented.
...
[1] day = calendar day
[2] CVSS = Common Vulnerability Scoring System (CVSS) v3, https://www.first.org/cvss
...