Topic

When to patch vulnerabilities

Applicable to

all

History

Dec 2023

Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.

The existing control relating to applying patches, updates or other vendor mitigations for vulnerabilities in online services within two weeks of release was amended to note that this relates to situations where vulnerabilities are assessed as non-critical by vendors and no working exploits exist.

Sep 2023

Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release.

References to ‘security vulnerabilities’ were replaced with ‘vulnerabilities’.

Sep 2023

Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release.

References to ‘internet-facing services’ were replaced with ‘online services’.

Sep 2023

Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release.

The existing controls relating to patching, updating or applying other vendor mitigations for vulnerabilities within two weeks of release, or 48 hours of release when working exploits exist, were all split into two separate controls to allow for separate assessment of standard patching practices (i.e. within two weeks) and quick response patching practices (i.e. within 48 hours). In addition, scenarios in which vulnerabilities are assessed as critical by vendors (e.g. they facilitate remote code exploitation without user interaction, or facilitate authentication bypasses that grant privileged access) have been included within the quick response patching window. Typically, vendors or the ACSC will release ‘critical alerts’ for situations that require a quick response. [ISM-1690, ISM-1694, ISM-1697, ISM-1751, ISM-1876, ISM-1877, ISM-1878, ISM-1789]