Vulnerability management 

Milestone scores reported vulnerabilities using the industry vulnerability scoring system CVSSv3.1 Common Vulnerability Scoring System and provide patches according to the scores listed below.   

In case the person reporting the vulnerability has disclosed their contact information, Milestone will collaborate with them on details, such as the CVSSv3.1 score, content of security advisory, and date for the external disclosure.

CVSSv3.1 critical (9.0 – 10.0) 

Milestone aims to patch the vulnerability within two (2) months of validating the vulnerability. Patches are provided for all product versions in ‘General availability’ and ‘Limited availability’ at the time the patch is released.  

CVSSv3.1 high (7.0 – 8.9)

Milestone aims to patch the vulnerability within three (3) months of validating the vulnerability. Patches are provided for all product versions in ‘General availability’.  

CVSSv3.1 medium/low (0.1 – 6.9)

Milestone aims to patch the vulnerability as part of a scheduled, upcoming release. Patches are not provided for already released products.