PagerDuty remediation timelines require teams to address critical and zero-day vulnerabilities as soon as possible and no later than the mandated timeline. This policy applies to advisories from the Cybersecurity and Infrastructure Security Agency (CISA) or equivalent agencies, including the UK National Cyber Security Centre. Teams make every effort to remediate as soon as possible, factoring in the need to test and ensure that the proposed remediation patch does not introduce more issues than it attempts to cure. This protocol addresses cybersecurity risks, including risks introduced by vulnerabilities in open source software and third-party software and hardware, ensuring you are not exposed to the risk of compromise through third-party suppliers.

PagerDuty responses to vulnerabilities, including patching, are informed by NIST 800-53 related controls and FedRAMP Low Impact Baseline Control standards. PagerDuty remediation timelines provide the following periods:

• 30 days for High risk vulnerabilities (vulnerabilities with an environmentally-adjusted CVSS score of 7.0 or greater).
• 90 days for Moderate risk vulnerabilities (vulnerabilities with an environmentally-adjusted CVSS score of 4.0 to 6.9).
• 180 days for all remaining non-zero scores.

If a CISA-identified zero-day vulnerability that is subject to active exploitation impacts PagerDuty, PagerDuty makes every effort to communicate this event and its remediation or migration activities publicly through the Security section of the knowledge base. For example, PagerDuty documented its approach to the remediation of log4j in the PagerDuty Log4j Zero-Day Vulnerability Updates article.

If a CISA-identified zero-day vulnerability that is subject to active exploitation does not impact PagerDuty, PagerDuty generally does not communicate this publicly. If you require a negative confirmation response, PagerDuty makes every effort to provide a negative confirmation statement through the PagerDuty Customer Portal.