P0
A P0 issue is categorized as an issue that results in major data corruption, many apps (or Customer’s primary app) unusable, or a High to Critical severity security weakness, as defined by the NIST CVSS v3 that has been disclosed publicly or is being actively exploited.
-
Acknowledge report within 24 hours
-
Start investigation within 48 hours
-
Provide updates every 24 hours
-
Extraordinary efforts will be made to:
-
Fix Critical severity security weaknesses in 15 days
-
Fix High severity security weaknesses in 30 days
-
Fix other P0 issues in 30 days
-
-
Released as soon as the fix is available and tested
P1
A P1 issue is categorized as an issue that results in minor data corruption, important app functionality being unusable, or a High to Critical severity security weakness, as defined by the NIST CVSS v3, that has not been disclosed and is not being actively exploited.
-
Acknowledge report within 48 hours
-
Start investigation within 1 week
-
Provide updates once a week
-
Commercially reasonable efforts will be made to:
-
Fix Critical severity security weaknesses in 15 days
-
Fix High severity security weaknesses in 30 days
-
Fix other P1 issues in 60 days
-
-
Released as soon as fix is available and tested
P2
A P2 issue is categorized as a Low to Medium severity security weakness, as defined by the NIST CVSS v3.
-
Acknowledge report within 1 week
-
Start investigation within 1 week
-
Provide updates once a month
-
Commercially reasonable efforts will be made to:
-
Fix Medium severity security weaknesses in 60 days
-
Fix Low severity security weaknesses in 90 days
-
-
Released as soon as fix is available and tested
P3
A P3 issue is categorized as an issue that results in ancillary or minor app functionality being unusable or requiring an inconvenient workaround. P3 issues will by default not be addressed, unless circumstances permit a low-risk or high-demand fix. When fixed, the following timelines will be considered.
-
Acknowledge report within 1 week
-
Start investigation within 1 month
-
Provide updates when released
-
Commercially reasonable efforts will be made to fix and release issues in 180 days
The parties acknowledge that the level of effort defined for each priority may not be sufficient to resolve exceptional issues or security weaknesses in the specified timeframe. In those cases, Company will regularly, promptly, and clearly communicate all updated expectations.