Vulnerabilities identified in software are resolved by software developers in a timely manner.
Topic
Reporting and resolving vulnerabilities
Applicable to
Non Classified, Official, Protected, Secret, Top Secret
History
Mar 2025
Vulnerabilities identified in software are resolved by software developers in a timely manner.
A number of existing controls were reworded for clarity without changing their intent.
Sep 2023
Vulnerabilities identified in applications are resolved by software developers in a timely manner.
References to ‘security vulnerabilities’ were replaced with ‘vulnerabilities’.
Mar 2023
Security vulnerabilities identified in applications are resolved by software developers in a timely manner.
An existing control relating to software developers resolving security vulnerabilities was amended to specify that this should be done in a timely manner.
Mar 2022
Security vulnerabilities identified in applications are resolved by software developers.
In addition to ensuring applications are robustly tested for security vulnerabilities prior to their initial release, they should also be robustly tested for security vulnerabilities following any maintenance activities. Subsequently, any security vulnerabilities that are identified should be remedied.