Security Bug Fix Policy
At STAGIL, the security of your systems is a top priority. We are committed to ensuring that our products do not introduce vulnerabilities that could compromise your environment.
Scope
This policy outlines how and when we fix security-related bugs in our products. It does not cover our full disclosure or advisory procedures.
Security bug fix Service Level Agreement (SLA)
We apply the following service level targets for resolving confirmed security issues:
Severity | CVSS v2 Score | CVSS v3 Score | Fix Timeline |
|---|---|---|---|
Critical | ≥ 8.0 | ≥ 9.0 | Within 2 weeks |
High | ≥ 6.0 | ≥ 7.0 | Within 4 weeks |
Medium | ≥ 3.0 | ≥ 4.0 | Within 6 weeks |
Critical Vulnerabilities
When a critical vulnerability is discovered, either internally or by a third party, we release a fixed version of the affected Cloud product as quickly as possible.
For Cloud products, no customer action is required—fixes are applied automatically.
📌 For self-managed products, we recommend continually upgrading to the latest version to receive the most recent security updates.
Non-critical vulnerabilities
Security issues rated High, Medium, or Low are addressed in the next scheduled release of the affected product.
We strongly encourage all customers to upgrade promptly when new releases become available, ensuring they benefit from the latest security enhancements.
Severity Ratings
We use the Common Vulnerability Scoring System (CVSS) to assess severity. The assigned level appears in each STAGIL advisory and follows this structure:
Learn more about CVSS scoring at FIRST.org.
Other information
We continuously review and improve our security processes based on customer feedback. Any policy updates will be reflected on this page.
If you have questions or need clarification, please contact our security team.