Terms & Policies

Learn more about Chainguard policies and our legal documents.

Last Updated October 22, 2025



Chainguard SLA

This Chainguard CVE Policy (“CVE Policy”) describes the services of Chainguard, Inc. (“Chainguard”) designed to address common vulnerabilities and exposures (“CVE(s)”) that may arise from time to time, in connection with any of the following Products: (A) Chainguard Containers, and (B) Chainguard Libraries, as applicable under a given order (“Order”)  by and between a customer (“Customer”) and Chainguard.  Capitalized terms used, but not defined in this CVE Policy, have the meanings ascribed in the Agreement (as defined in such Order), or if no such agreement is in effect, Chainguard’s MSLA


1. Chainguard Containers


1.1. Commitment. Chainguard will use commercially reasonable efforts to address CVEs for all Qualifying Patches contained in Guarded Chainguard Assets. “Guarded Chainguard Assets” means the latest version of a supported version stream of a published Chainguard Container; for clarity, version streams designated as End of Life (as defined below) are expressly excluded from the definition of Guarded Chainguard Assets. As used in connection with Guarded Chainguard Assets, a “Qualifying Patch” means that: (i) scanners used by Chainguard identify the existence of a CVE affecting a Guarded Chainguard Assets (each an “Affected Assets”); (ii) the CVE is independently rectifiable within the Affected Asset in spite of any other bugs contained therein; and (iii) either (a) there is an upstream release version of the affected Third Party Software in the Affected Asset available which a credible and independent third party has verified is fully able to rectify the Affected Asset’s CVE (i.e. the project maintainers have release notes or code commit message designating a fix to the CVE), or (b) the Affected Asset can be rebuilt with updated compilers and/or libraries to remediate the subject CVE.


1.2. Severity Scoring.  Chainguard will assign each CVE constituting a Qualifying Patch a severity score in its good faith discretion, “based upon various factors including without limitation,  standards promulgated at https://nvd.nist.gov/vuln-metrics/cvss, and the Common Vulnerability Scoring System- Version 3 therein, Customer requests and considerations, and other circumstantial factors. 


1.3 Patching.  Chainguard shall use commercially reasonable efforts to patch Guarded Chainguard Asset CVEs within the estimated timeframe set forth below (as applicable, the “Patching Timeframe”). 


  1. Critical Severity: 7 calendar days from the date a Qualifying Patch is publicly available. 

  2. High, Medium, and Low Severity: 14 calendar days from the date a Qualifying Patch is publicly available.


1.4. Remediation. A CVE will be considered patched when any of the following occur:


  1. a Guarded Chainguard Asset or update thereto is published on Chainguard’s  hosted registry; or

  2. the CVE either: a) is not reported when passing the published image through Grype and Vexctl; or b) has been demonstrably added to Chainguard’s security advisory  feed.

1.5. Misc. In the event a Guarded Chainguard Asset includes components that are FIPS validated, Chainguard will remediate any CVE contained therein in line with the above considerations, unless remediating would void the applicable FIPS validation.  Notwithstanding anything to the contrary, in no event shall failure to remediate any CVE due to risk of voiding FIPs constitute a failure to meet the commitments or obligations set forth in this CVE Policy.


2. Chainguard Libraries


2.1 Commitment. Notwithstanding the commitments set forth in Section 1 (Chainguard Containers) above, which for clarity, expressly and exclusively apply to CVEs contained in Affected Images only, Chainguard will take commercially reasonable efforts to remediate CVEs identified by Chainguard in Chainguard Products known as Chainguard Libraries (each an “Affected Library”), using one or more of the following methods:


a. Building the latest publicly available version from the source code for such Affected Library; or


b.  Applying and backporting CVE fixes from the applicable Public Library (as defined below) to earlier versions of the Affected Library.


2.2. Functionality. Chainguard will make commercially reasonable efforts to test the functionality of Affected Libraries with upstream versions of publicly available libraries (“Public Libraries”) to maintain a reasonably comparable functionality for such  Affected Libraries provided that users thereof understand and agree that each such Chainguard Library is a modified version of the equivalent Public Library, and Chainguard Libraries may not provide identical functional equivalence to Public Libraries.  Customers are responsible for ensuring that the functionality of any  Chainguard Libraries provisioned, is appropriate for their intended use and purpose, and in no event shall Chainguard be responsible for Customer’s intended use in connection therewith.


3. End of Life (EOL) Grace Period for Chainguard Containers


3.1 Commitment. From time to time, Chainguard Containers may have limited availability where an upstream provider ceases to support or otherwise backport CVE fixes to older versions of that component  (“End of Life”). To the extent Customer has purchased an offering of Chainguard Containers under an applicable Order that expressly includes an EOL Grace Period, Chainguard shall, for a maximum period of six (6) months from the date the affected image, including as applicable, any component thereof or any versions of such image or component(s) (in any such case, an “EOL Asset”), is known by Chainguard to be subject to End of Life (the “End of Life Date”), take commercially reasonable efforts to remediate the CVEs for such EOL Assets by patching vulnerabilities and updating any dependent or secondary packages therein, that are not subject to End of Life,   until the earlier of: (i) one hundred and eighty (180) days from the End of Life Date; or (ii) the date the EOL Asset fails to build or function in Chainguard’s reasonable discretion.  For the avoidance of doubt, the patching timeframes identified in Section 1 (Chainguard Containers) above, shall not apply to EOL Assets.


4. Custom Assembly


Chainguard offers Custom Assembly, a self-service tool that allows Customer to create customized container images with extra packages added ("Customized Images"). Guarded Chainguard Assets used as the source container images for Customized Images, and the packages contained within them, will continue to be patched in accordance with this CVE Policy. However, due to the self-service nature of Custom Assembly, Customized Images may result in configurations that prevent application of the patching commitments and timeframes set forth in this CVE Policy.


5. Exclusions. Notwithstanding anything to the contrary in this CVE Policy, Chainguard shall not:


  1. be responsible for patching vulnerabilities on images or components thereof that do not have CVEs assigned to them; and

  2. be expected to backport or cherry-pick any individual commitments or patches to any related Third Party Software.