When a Security Vulnerability or Compatibility issue is reported to Support, Company will respond to such report by creating an Issue for resolution. Each Issue will be resolved according to Company’s standard operating procedures, and in accordance with the Service Level correlated with Issue’s Common Vulnerability Scoring System v3 (CVSS) score.
The Service Levels are defined as:
P1 Issues
- Categorized by High & Critical CVSS scores (7.0-10.0) and any of the following properties:
- Public Disclosure of CVE through MITRE.
- Impact or attack vectors not isolated to a single implementation.
- Irreparable data loss, including data corruption, network traffic tampering, etc.
- Critical application functionality degradation with no known workaround or mitigation strategy.
- Resolution Guarantees:
- Acknowledgement of report within 24 hours.
- Investigation into report within 48 hours.
- Company shall release Update within 14 days.
- Company must immediately release Update upon verification.
P2 Issues
- Categorized by a Medium CVSS score (4.0-6.9) and any of the following properties:
- Public Disclosure of CVE through MITRE.
- Impact or attack vectors not isolated to a single implementation.
- Irreparable data loss, including data corruption, network traffic tampering, etc.
- Critical application functionality degradation without a viable workaround or mitigation strategy.
- Resolution Guarantees
- Acknowledgement of report within 24 hours.
- Investigation into report within 48 hours.
- Company shall release Update within 21 days.
- Company must immediately release Update upon verification.
P3 Issues
- Categorized by Medium, High & Critical CVSS scores (4.0-10.0) and any of the following properties:
- Impact / attack vector not isolated to a single implementation.
- Significant data loss, including data corruption, network traffic tampering, etc.
- A potential for critical application functionality degradation with no known workaround or mitigation strategy.
- Resolution Guarantees
- Acknowledgement of report within 24 hours.
- Investigation into report within 5 days.
- Company shall release Update within 21 days.
- Company must immediately release Update upon verification.
P4 Issues
- Categorized by any of the following properties:
- A Low CVSS score (0.1-3.9).
- A low likelihood of impact / attack vector not isolated to a single implementation.
- Minor recoverable data loss.
- General application functionality degradation that requires an inconvenient workaround or mitigation strategy.
- Resolution Guarantees
- Acknowledgement of report within 1 business week.
- Investigation into report within 14 days.
- Company shall make commercially reasonable efforts to release an Update within 60 days.
- Company must immediately release Update upon verification.
In the event an extraordinary Issue cannot be resolved given its level of effort and resolution window, Company will continue to communicate updated expectations at the Investigation Progress Update interval.