Security Bugfix Policy

Security Bugfix Service Level Agreement

We attempt to meet the following timeframes for fixing security issues.

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) should be fixed in product within 4 weeks of being reported.

  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7)  should be fixed in product within 6 weeks of being reported.

  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) should be fixed in product within 8 weeks of being reported.

Critical vulnerabilities

When a Critical security vulnerability is discovered by us or reported by a third party, we will issue a new, fixed release for the current version of the affected product as soon as possible.

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, we will include the fix in the next scheduled maintenance release.
You should upgrade your installation in order to fix the vulnerability.

Other information

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.

Questions? Comments? Write us, or give us a call.

 

Support  •  Service Status  •  Contact 


© 2020 David Simpson Apps.

Service Level Agreement  •  EULA

Data Security & Privacy  •  Security Bug Fix Policy

David Simpson Apps is a trading name of Concise Web Design Limited.

Registered office: Johnstone House 2a Gordon Road, West Bridgford, Nottingham, England, NG2 5LN

UK Company Number: 04944014