...
Criticality of Vulnerability | ||||
Critical | High | Moderate | ||
Criticality of Application | >= High | At the end of the next working day | Within 7 days[1] | Within the next release, but after 6 months at the latest. |
<= Moderate | Within 7 days | Within 21 days | - |
Table 2-1: Requirements for Vulnerability Remediation for External ApplicationApplications
In respect of internal applications, the following requirements define the point of time until a vulnerability MUST be remediated if possible or at least its exploitability prevented:
...
Table 2-2: Requirements for Vulnerability Remediation for Internal Applications
In respect of newly developed applications:
...
...
[1]
...
Teams MAY refine a CVSS Base Score by evaluating its CVSS Environmental Score and thereby taken aspects like its classification or accessibility into account.
...
When a score is refined the respected CVSS vector MUST be documented.
[1] day = calendar day[2] CVSS = Common Vulnerability Scoring System (CVSS) v3, https://www.first.org/cvss