Understanding the Vulnerability Remediation SLA for Bitnami Secure Images
Article ID: 430374
Updated On:
Products
Issue/Introduction
Customers using Bitnami Secure Images through a subscription may ask:
-
What is the SLA for CVE remediation?
-
How quickly are Critical or High vulnerabilities fixed?
-
When are updated images published after a CVE disclosure?
This article explains the official vulnerability remediation Service Level Agreement (SLA) as defined in the Bitnami Secure Images SaaS Listing and Specific Program Documentation (SPD).
Environment
Bitnami Secure Images
Resolution
1. CVE Severity Classification
Vulnerabilities are categorized using the CVSS (Common Vulnerability Scoring System) scale:
| Severity | CVSS Range |
|---|---|
| Critical | 9.0 – 10.0 |
| High | 7.0 – 8.9 |
| Medium | 4.0 – 6.9 |
| Low | 0.1 – 3.9 |
2. Remediation SLA Targets
The SLA is measured from the time an upstream fix is available and verified.
| Severity | Remediation Target |
|---|---|
| Critical and High | Fix made available within 2 business days |
| Medium and Low | Fix made available within 30 business days |
Remediation consists of publishing an updated Secure Image that includes the upstream fix.
3. Important Clarifications
-
ARM64 builds of container images are “best effort” response time
-
SLA applies only to customers with an active Bitnami Secure Images subscription.
-
SLA begins after a verified upstream fix exists.
-
If no upstream fix is available, remediation timelines do not apply.
-
Updated images are published to the customer’s configured registry destination.
Feedback
