What: Customers want to understand how we respond to and manage Cybersecurity and Infrastructure Security Agency (CISA) or equivalent agencies' (including the UK's National Cyber Security Center) advisories for critical and 0-day vulnerabilities.
Why: With the increased attention and scrutiny to cybersecurity risk, including the risk introduced by vulnerabilities in open source software and third party software and hardware, customers are increasingly concerned that they are not exposed to risk of compromise through their third party suppliers, including PagerDuty.
How: How do Critical and 0-day vulnerabilities fit into PagerDuty's vulnerability remediation timelines? PagerDuty timelines for remediation require as soon as possible and no later than the mandated timeline. This means that teams will make every effort to remediate as soon as possible, factoring in the need to test and ensure that the proposed remediation (patch) does not itself introduce more issues that it is attempting to cure.
What: What are PagerDuty timelines for remediation of vulnerabilities? PagerDuty's response to vulnerabilities, including patching of vulnerabilities, is informed by NIST 800-53 related controls and FedRAMP Low Impact Baseline Control standards. This means that PagerDuty's remediation timelines allow for 30 days for High risk vulnerabilities (generally any vulnerability with an environmentally-adjusted CVSS score of 7.0 or greater), 90 days for Moderate risk vulnerabilities (any vulnerability with an environmentally-adjusted CVSS score of 4.0 to 6.9), and 180 days for all remaining non-zero scores.
What's Next 1: If PagerDuty is impacted by a CISA-identified 0-day that is subject to active exploitation, PagerDuty will make every effort to communicate this, and its remediation/migration activities, publicly through the Security section of the Knowledge Base. As an example of the type of communication, PagerDuty communicated its approach to the remediation of log4j in this space: PagerDuty Log4j Zero-Day Vulnerability Updates.
What's Next 2: If PagerDuty is not impacted by a CISA-identified 0-day that is subject to active exploitation, PagerDuty will generally not communicate this publicly. For those customers who require a negative confirmation response, PagerDuty will make every effort to provide a negative confirmation statement available through PagerDuty's Customer Portal in the Documents folder.
Updated about 1 month ago