2. Remediation of Vulnerabilities in Production

Identified vulnerabilities in applications MUST generally be remediated quickly and causative. In case root case remediation should require a significant amount of time and the risk posed by the vulnerability is also significant, temporary measures (e.g. workarounds) SHOULD be implemented to reduce the exploitability as soon as possible until the actual root cause is fixed. Such remediation MUST always be considered as a temporary measure.

In respect of external (e.g. Internet-facing) applications, the following requirements define the point of time until a vulnerability MUST be corrected, or its exploitability prevented latest:

 

 

Criticality of Vulnerability

Critical

High

Moderate

Criticality of Application

>= High

At the end of the next

working day

Within 7 days[1]

Within the next release, but after 6 months at the latest.

<= Moderate

Within 7 days

Within 21 days

-

Table 2-1: Requirements for Vulnerability Remediation for External Applications

In respect of internal applications, the following requirements define the point of time until a vulnerability MUST be remediated if possible or at least its exploitability prevented:

 

Criticality of Vulnerability

Critical

High

Moderate

Criticality of Application

>= High

Within 7 days

Within 30 days

Within the next release, but after 12 months at the latest.

<= Moderate

Within 21 days

Within 60 days

-

Table 2-2: Requirements for Vulnerability Remediation for Internal Applications




[1] day = calendar day