Learn more about Chainguard policies and our legal documents.
Last Updated February 22, 2024
Common Vulnerabilities and Exposures. Chainguard will use commercially reasonable efforts to address common vulnerabilities and exposures (“CVEs”) for Chainguard’s published collection of images (the “Guarded Images”) as covered by this SLA, provided the CVEs meet all of the following requirements (a “Qualifying Patch”):
Severity Scoring. Chainguard may assign each CVE meeting the above criteria a severity score according to the Common Vulnerability Scoring System version 3, in accordance with the standards described at https://nvd.nist.gov/vuln-metrics/cvss. In addition, to the extent Customer requests a CVE severity score, Chainguard may elect to evaluate such CVE to determine, in good faith, the applicable CVE severity score.
Patching. Chainguard shall use commercially reasonable efforts to patch CVEs in Guarded Images within the estimated timeframe set forth below.
Critical Severity: 7 calendar days from the date a Qualifying Patch is publicly available.
High, Medium, and Low severity - 14 calendar days from the date a Qualifying Patch is publicly available.
In the event a CVE does not meet the requirements of a Qualifying Patch due to a Major CVE Event, Chainguard will use commercially reasonable efforts to rebuild all images promptly.
Remediation. A CVE will be considered patched when any of the following occur:
In the event an image contains components that are FIPS validated, Chainguard will remediate any CVE in line with the above considerations, unless remediating would void the FIPS validation.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
Unordered list
Bold text
Emphasis
Superscript
Subscript