Identified vulnerabilities in applications MUST generally be remediated quickly and causative. In case root case remediation should require a significant amount of time and the risk posed by the vulnerability is also significant, temporary measures (e.g. workarounds) SHOULD be implemented to reduce the exploitability as soon as possible until the actual root cause is fixed. Such remediation MUST always be considered as a temporary measure.
In respect of external (e.g. Internet-facing) applications, the following requirements define the point of time until a vulnerability MUST be corrected, or its exploitability prevented latest:
Criticality of Vulnerability | ||||
Critical | High | Moderate | ||
Criticality of Application | >= High | At the end of the next working day | Within 7 days[1] | Within the next release, but after 6 months at the latest. |
<= Moderate | Within 7 days | Within 21 days | - |
Table 2-1: Requirements for Vulnerability Remediation for External Application
In respect of internal applications, the following requirements define the point of time until a vulnerability MUST be remediated if possible or at least its exploitability prevented:
Criticality of Vulnerability | ||||
Critical | High | Moderate | ||
Criticality of Application | >= High | Within 7 days | Within 30 days | Within the next release, but after 12 months at the latest. |
<= Moderate | Within 21 days | Within 60 days | - |
Table 2-2: Requirements for Vulnerability Remediation for Internal Applications
In respect of newly developed applications:
Confirmed vulnerabilities with CVSS[1] v3 score >= 7.0 (or >= “high” rating) MUST NOT be used in production. Confirmed vulnerabilities findings with CVSS v3 Score >= 6.0 (or > “medium” rating) SHOULD NOT be used in production without proper verification.
Teams MAY refine a CVSS Base Score by evaluating its CVSS Environmental Score and thereby taken aspects like its classification or accessibility into account.
When a score is refined the respected CVSS vector MUST be documented.
[1] day = calendar day
[2] CVSS = Common Vulnerability Scoring System (CVSS) v3, https://www.first.org/cvss