Going beyond CVEs: Chainguard’s one day KEV SLA

Today, we're announcing a new SLA for Chainguard Containers: any CVE added to the CISA Known Exploited Vulnerabilities Catalog that affects a Chainguard container image will be remediated within one calendar day. This is the first explicit KEV SLA offered by any container vendor, and will be applied to all Containers customers with a CVE SLA today.

Our SLA reflects Chainguard’s commitment to respond to any KEV that affects a Chainguard container with continuous effort until resolution. This comes with a proven track record of rapid remediation, as our team has been achieving a less than 20-hour average remediation time for Critical CVEs, and a median remediation time of 2 days across all severities.

At the heart of Chainguard’s speed and responsiveness is the Chainguard Factory and its AI-native continuous reconciliation loops, which already track the underlying CVEs via upstream advisories and work to eliminate them before they reach the KEV Catalog. These same reconciliation loops also drive continuous rebuilds of other artifacts, such as Chainguard Libraries, VMs, Actions, and Agent Skills.

The urgency of KEVs in an agentic world

According to CISA, roughly 4% of all CVEs are ever exploited in the wild, and 12% of actively exploited vulnerabilities have a Medium or Low CVSS score. Relying solely on severity-based SLAs leaves organizations exposed for too long to a broad set of vulnerabilities that attackers exploit to gain access to critical systems and data.

In an age of agentic attacks operating at scale, those timelines are shrinking even faster. CISA states that 50% of KEVS are exploited within 2 days, and 75% within 28 days of disclosure. As these timelines continue to collapse at machine speed, organizations need more protection than a 10- or 14-day SLA on a "Medium" CVE that is actively exploited.

Recently, NIST made this shift official across the entire National Vulnerability Database. It acknowledged the massive 263% growth in CVE submissions between 2020 and 2025, stating that the NVD can no longer enrich every CVE it receives and going forward, it will prioritize enrichment for CVEs in the CISA KEV Catalog. As the U.S. government's own vulnerability infrastructure organizes around the KEV Catalog as the primary prioritization signal, suppliers of trusted open source must do the same.

A commitment aligned with your team’s own priorities

A KEV SLA is among the most valuable commitments Chainguard can make to customers on vulnerability response because it aligns our SLA with how security teams actually prioritize. Your team already treats KEVs as P0; now your trusted open source vendor explicitly does too.

This is not a promise we're hoping to grow into. We have a track record of rapid remediation, and will continue to do so.

Our KEV SLA is included in all Chainguard Containers plans that carry a CVE SLA today at no additional cost. There is nothing to enable or configure.

If you’re currently using Chainguard Starter Catalog or our free images and want to learn more about our Catalog or Enterprise image offerings, talk to us to get started.