Update S1/P1 SLA
Why is this change being made?
We have seen the question of What is your SLA for remediating critical vulnerabilities? on a number of customer security questionnaires but a current customer questionnaire is pushing back on our normal explanation to this question.
On the one hand:
As soon as possible feels like the most technically correct answer to this question since we are diverting all reasonable resources towards remediation but some vulns are harder to remediate than others. What would be the point of committing ourselves to a timeline when so much of this is case by case and not completely within our control to remediate immediately.
On the other hand:
We are using firm SLA times for S2/P2 and S3/P3 issues so why not state a goal we plan to achieve for S1/P1 as well? There will be times with any SLA that we can't meet that goal but as long as we have strong documentation about why and provide good information to our customers about how well we meet those goals, then I think we can hold ourselves to such a standard. Also, this is something that our customers want to see from us.
Does this MR meet the acceptance criteria?
N/A
Conformity
-
Added description to this MR explaining the reasons for the proposed change, per say-why-not-just-what