From f81612d56f6208f4fb9150c4efef62ac7d0e656d Mon Sep 17 00:00:00 2001 From: Rae Sharp Date: Thu, 4 Jun 2026 13:59:41 -0400 Subject: [PATCH 1/3] Initial CVE policy update Signed-off-by: Rae Sharp --- docs/reference/cve-policy.md | 126 +++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 docs/reference/cve-policy.md diff --git a/docs/reference/cve-policy.md b/docs/reference/cve-policy.md new file mode 100644 index 00000000..6196d6a6 --- /dev/null +++ b/docs/reference/cve-policy.md @@ -0,0 +1,126 @@ +--- +title: CVE remediation policy +sidebar_position: 3 +description: How Upbound identifies, prioritizes, and remediates CVEs across the Upbound Platform. +--- + + + + + + + + +:::note +**Policy version:** `1.0.0` +**Effective date:** `15 June 2026` +::: + +This policy covers CVE remediation across the Upbound Platform, including +Upbound Crossplane (UXP), Spaces, and Official Providers. Crossplane OSS is out +of scope. + +## CVE remediation SLAs + +Security is a top priority for Upbound. Upbound actively monitors and addresses +security vulnerabilities in its packages. Upbound will make reasonable +commercial effort to ensure the images distributed as part of the Upbound +Platform are free from [Common Vulnerabilities and Exposures][cves] (CVEs) under +the following conditions: + +- Upbound's vulnerability scanners identify a CVE affecting a package. +- The CVE is independently fixable of any other bugs. For a CVE to be fixable, there must be an upstream release version available that has been verified to fix the CVE. + +Upbound addresses each qualifying CVE based on its severity score under the +[Common Vulnerability Scoring System version 3][cvss3], with an additional +exploitability classification: + +| Severity | SLA | +|---|---| +| Critical Exploitable | Within 7 business days from the date an upstream fix is publicly available | +| Critical | Within 14 business days from the date an upstream fix is publicly available | +| High | Within 30 business days from the date an upstream fix is publicly available | +| Medium and Low | Addressed when upstream fixes are available, on an as-needed basis | +| Non-exploitable | Addressed on an as-needed basis | + +## Backport policy + +Upbound backports CVE patches to supported minor releases when: + +- The release is within its 12-month support window, **and** +- The CVE severity is Medium or higher, **or** +- The fix is requested by an Enterprise or Business Critical customer on that release. + +Low-severity CVEs are addressed in the next minor release only and are not +backported. + +## End of life + +When a minor release exits its 12-month support window, it enters End of Life +(EOL). EOL releases receive no further CVE patches. Customers on EOL releases +should upgrade to a supported minor version. Upgrade guidance is published in +the release notes. Where breaking changes exist, Upbound provides a migration +guide. + +## Product support policies + +The sections below describe the release cadence and CVE support window for each +component of the Upbound Platform. + +### Official Providers + +Minor versions ship on a continuous cadence as upstream providers and cloud APIs +evolve. Patch releases are cut as needed against supported minor versions. + +- Each minor release is supported for 12 months from its general availability (GA) date. +- The supported release set at any point in time is all minor versions with a GA date within the trailing 12 months. There is no hard cap on the number of concurrently supported versions — support is window-based. +- CVE patches are backported to all minor releases within their 12-month window at the time the CVE is triaged. + +### Upbound Crossplane (UXP) + +Minor releases ship aligned to the upstream Crossplane release cadence, +targeting a new minor version approximately every 6 weeks (roughly 8–9 per +year). Patch releases are cut as needed between minor releases for Critical and +High CVEs. + +- Each minor release is supported for 12 months from its GA date. +- With a ~6-week cadence, customers can expect roughly 8–9 concurrently supported minor versions at any point in time. +- CVE patches are backported to all minor releases within their 12-month window at the time the CVE is triaged. + +### Upbound Spaces and Hub + +Minor releases ship on a quarterly cadence, targeting 4 minor releases per year. +Patch releases are cut as needed between minor releases for Critical and High +CVEs. + +- Each minor release is supported for 12 months from its GA date. +- With a quarterly cadence, customers can expect up to 4 concurrently supported minor versions at any given time — typically the 3–4 most recent. +- CVE patches are backported to all minor releases within their 12-month window at the time the CVE is triaged. + +Upbound bundles Kubernetes, UXP, and other infrastructure components within +Spaces. CVEs in bundled dependencies are evaluated and patched under the same +SLAs as first-party CVEs. Upbound publishes a software bill of materials (SBOM) +for each release to support customer vulnerability tracking. + +## How Upbound triages CVEs + +All customer-reported CVEs and defects are triaged by the responsible team's +Product Manager (PM), Engineering Manager (EM), and Technical Lead (TL). This +group confirms severity, assesses business impact, assigns ownership, and drives +the issue to resolution within the applicable SLA. + +Triage cadence is determined by severity: + +- **Critical**: Triaged on-demand. The team's on-call engineer is paged immediately. The PM, EM, and TL convene as soon as possible to assess impact and assign remediation ownership. Remediation is treated as an immediate priority, +bypassing normal sprint processes. +- **High**: Triaged twice per week as part of the team's regularly scheduled backlog grooming. Newly identified High severity CVEs are added to the grooming agenda and reviewed at the next available session. +- **Medium and Low**: Triaged bi-weekly as part of normal Sprint Planning. These issues are reviewed, prioritized relative to other work, and scheduled into a future sprint at the team's discretion. + +## Scope limitations + +Upbound reserves the right to decline remediation for false positives or CVEs +that are not present in the executable code path of the Upbound Platform +products. + +[cves]: https://nvd.nist.gov/general/cve-process +[cvss3]: https://nvd.nist.gov/vuln-metrics/cvss From 2194313eab6c7fb844bc4699eb9c2bb233e6cb5f Mon Sep 17 00:00:00 2001 From: Rae Sharp Date: Thu, 4 Jun 2026 15:25:13 -0400 Subject: [PATCH 2/3] vale updates Signed-off-by: Rae Sharp --- docs/reference/cve-policy.md | 17 +++++++++-------- .../vale/styles/Upbound/spelling-exceptions.txt | 2 ++ 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/reference/cve-policy.md b/docs/reference/cve-policy.md index 6196d6a6..800c5806 100644 --- a/docs/reference/cve-policy.md +++ b/docs/reference/cve-policy.md @@ -32,8 +32,7 @@ the following conditions: - The CVE is independently fixable of any other bugs. For a CVE to be fixable, there must be an upstream release version available that has been verified to fix the CVE. Upbound addresses each qualifying CVE based on its severity score under the -[Common Vulnerability Scoring System version 3][cvss3], with an additional -exploitability classification: +[Common Vulnerability Scoring System version 3][cvss3] and notes exploitable issues: | Severity | SLA | |---|---| @@ -51,7 +50,7 @@ Upbound backports CVE patches to supported minor releases when: - The CVE severity is Medium or higher, **or** - The fix is requested by an Enterprise or Business Critical customer on that release. -Low-severity CVEs are addressed in the next minor release only and are not +Low-severity CVEs are addressed in the next minor release only and aren't backported. ## End of life @@ -73,28 +72,30 @@ Minor versions ship on a continuous cadence as upstream providers and cloud APIs evolve. Patch releases are cut as needed against supported minor versions. - Each minor release is supported for 12 months from its general availability (GA) date. -- The supported release set at any point in time is all minor versions with a GA date within the trailing 12 months. There is no hard cap on the number of concurrently supported versions — support is window-based. -- CVE patches are backported to all minor releases within their 12-month window at the time the CVE is triaged. +- The supported release set at any time is all minor versions with a GA date within the trailing 12 months. +- CVE patches are backported to all minor releases within their 12-month window when the CVE is triaged. ### Upbound Crossplane (UXP) Minor releases ship aligned to the upstream Crossplane release cadence, -targeting a new minor version approximately every 6 weeks (roughly 8–9 per +targeting a new minor version around every 6 weeks (around 8 to 9 per year). Patch releases are cut as needed between minor releases for Critical and High CVEs. - Each minor release is supported for 12 months from its GA date. -- With a ~6-week cadence, customers can expect roughly 8–9 concurrently supported minor versions at any point in time. +- With a ~6-week cadence, customers can expect around 8 to 9 concurrently supported minor versions at any time. - CVE patches are backported to all minor releases within their 12-month window at the time the CVE is triaged. ### Upbound Spaces and Hub + Minor releases ship on a quarterly cadence, targeting 4 minor releases per year. Patch releases are cut as needed between minor releases for Critical and High CVEs. + - Each minor release is supported for 12 months from its GA date. -- With a quarterly cadence, customers can expect up to 4 concurrently supported minor versions at any given time — typically the 3–4 most recent. +- With a quarterly cadence, customers can expect up to 4 concurrently supported minor versions at any time. This typically means the 3 to 4 most recent. - CVE patches are backported to all minor releases within their 12-month window at the time the CVE is triaged. Upbound bundles Kubernetes, UXP, and other infrastructure components within diff --git a/utils/vale/styles/Upbound/spelling-exceptions.txt b/utils/vale/styles/Upbound/spelling-exceptions.txt index dedf72e5..10eb8682 100644 --- a/utils/vale/styles/Upbound/spelling-exceptions.txt +++ b/utils/vale/styles/Upbound/spelling-exceptions.txt @@ -200,6 +200,8 @@ onboarding XRCs ARNs autogenerated +triaged +triages Traefik Traefik's HTTPRoute From 9b3e81f9a74b8d2a4d3f646c91a3e20668711468 Mon Sep 17 00:00:00 2001 From: Rae Sharp Date: Thu, 4 Jun 2026 15:26:23 -0400 Subject: [PATCH 3/3] vale again Signed-off-by: Rae Sharp --- docs/reference/cve-policy.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/reference/cve-policy.md b/docs/reference/cve-policy.md index 800c5806..efa52ea2 100644 --- a/docs/reference/cve-policy.md +++ b/docs/reference/cve-policy.md @@ -111,16 +111,21 @@ group confirms severity, assesses business impact, assigns ownership, and drives the issue to resolution within the applicable SLA. Triage cadence is determined by severity: - + + + - **Critical**: Triaged on-demand. The team's on-call engineer is paged immediately. The PM, EM, and TL convene as soon as possible to assess impact and assign remediation ownership. Remediation is treated as an immediate priority, bypassing normal sprint processes. - **High**: Triaged twice per week as part of the team's regularly scheduled backlog grooming. Newly identified High severity CVEs are added to the grooming agenda and reviewed at the next available session. - **Medium and Low**: Triaged bi-weekly as part of normal Sprint Planning. These issues are reviewed, prioritized relative to other work, and scheduled into a future sprint at the team's discretion. + + + ## Scope limitations Upbound reserves the right to decline remediation for false positives or CVEs -that are not present in the executable code path of the Upbound Platform +that aren't present in the executable code path of the Upbound Platform products. [cves]: https://nvd.nist.gov/general/cve-process