Merge pull request #643 from telerik/security-update-docs

docs(security): add vulnerability remediation guidelines
telerik · Nov 28, 2024 · 5a23e2d · 5a23e2d
2 parents 010cc57 + 05691e1
commit 5a23e2d
Showing 1 changed file with 15 additions and 5 deletions.
diff --git a/docs/security/overview.md b/docs/security/overview.md
@@ -29,17 +29,27 @@ At Progress, we work diligently to identify and fix security vulnerabilities in
 
 We value the contributions of security researchers and ethical hackers. If a researcher identifies a potential vulnerability, they can submit it via our [Bugcrowd](https://bugcrowd.com/engagements/devtools-vdp) platform. We aim to meet the following response times:
 
-| Type of Response | SLO (in business days) |
-|------------------|------------------------|
-| First Response    | 7 days                 |
-| Time to Triage    | 10 days                |
-| Time to Resolution| Depends on severity    |
+| Type of Response   | SLO (in business days)                                       |
+| ------------------ | ------------------------------------------------------------ |
+| First Response     | 7 days                                                       |
+| Time to Triage     | 10 days                                                      |
+| Time to Resolution | [Depends on severity](#vulnerability-remediation-guidelines) |
 
 For more information, visit:
 - [Bugcrowd Vulnerability Disclosure Program](https://bugcrowd.com/engagements/devtools-vdp)
 - [Progress Trust Center](https://www.progress.com/trust-center)
 - [Vulnerability Reporting Policy](https://www.progress.com/trust-center/vulnerability-reporting-policy)
 
+## Vulnerability Remediation Guidelines
+
+Progress follows defined timelines for remediating vulnerabilities based on their severity levels, ensuring a structured and efficient approach to maintaining security across all products. These guidelines are aligned with CVSS (Common Vulnerability Scoring System) scoring:
+
+-   **Critical scored issues (CVSS 9.0+):** Resolved within **30 days**.
+-   **High scored issues (CVSS 7.0–8.9):** Resolved within **60 days**.
+-   **Medium or lower scored issues (CVSS < 7):** Resolved within **90–120 days**, depending on the score.
+
+While these are not strict SLA (Service Level Agreement), they serve as a commitment to providing timely resolutions for identified vulnerabilities.
+
 ## What We Do to Mitigate Risk
 
 Our dedicated security team, comprised of experienced developers and security experts—our "Security Champions"—reviews all web, desktop, and mobile products technologies for potential vulnerabilities. These vulnerabilities may be internally identified, reported by third-party tools, or flagged externally.