Initial CVE policy update

docs/reference/cve-policy.md

@@ -0,0 +1,132 @@
+---
+title: CVE remediation policy
+sidebar_position: 3
+description: How Upbound identifies, prioritizes, and remediates CVEs across the Upbound Platform.
+---
+
+<!-- vale Google.Will = NO -->
+<!-- vale gitlab.FutureTense = NO -->
+<!-- vale write-good.Passive = NO -->
+<!-- vale gitlab.SentenceLength = NO -->
+<!-- vale Google.Headings = NO -->
+<!-- vale Microsoft.HeadingAcronyms = NO -->
+
+:::note
+**Policy version:** `1.0.0`
+**Effective date:** `15 June 2026`
+:::
+
+This policy covers CVE remediation across the Upbound Platform, including
+Upbound Crossplane (UXP), Spaces, and Official Providers. Crossplane OSS is out
+of scope.
+
+## CVE remediation SLAs
+
+Security is a top priority for Upbound. Upbound actively monitors and addresses
+security vulnerabilities in its packages. Upbound will make reasonable
+commercial effort to ensure the images distributed as part of the Upbound
+Platform are free from [Common Vulnerabilities and Exposures][cves] (CVEs) under
+the following conditions:
+
+- Upbound's vulnerability scanners identify a CVE affecting a package.
+- The CVE is independently fixable of any other bugs. For a CVE to be fixable, there must be an upstream release version available that has been verified to fix the CVE.
+
+Upbound addresses each qualifying CVE based on its severity score under the
+[Common Vulnerability Scoring System version 3][cvss3] and notes exploitable issues:
+
+| Severity | SLA |
+|---|---|
+| Critical Exploitable | Within 7 business days from the date an upstream fix is publicly available |
+| Critical | Within 14 business days from the date an upstream fix is publicly available |
+| High | Within 30 business days from the date an upstream fix is publicly available |
+| Medium and Low | Addressed when upstream fixes are available, on an as-needed basis |
+| Non-exploitable | Addressed on an as-needed basis |
+
+## Backport policy
+
+Upbound backports CVE patches to supported minor releases when:
+
+- The release is within its 12-month support window, **and**
+- The CVE severity is Medium or higher, **or**
+- The fix is requested by an Enterprise or Business Critical customer on that release.
+
+Low-severity CVEs are addressed in the next minor release only and aren't
+backported.
+
+## End of life
+
+When a minor release exits its 12-month support window, it enters End of Life
+(EOL). EOL releases receive no further CVE patches. Customers on EOL releases
+should upgrade to a supported minor version. Upgrade guidance is published in
+the release notes. Where breaking changes exist, Upbound provides a migration
+guide.
+
+## Product support policies
+
+The sections below describe the release cadence and CVE support window for each
+component of the Upbound Platform.
+
+### Official Providers
+
+Minor versions ship on a continuous cadence as upstream providers and cloud APIs
+evolve. Patch releases are cut as needed against supported minor versions.
+
+- Each minor release is supported for 12 months from its general availability (GA) date.
+- The supported release set at any time is all minor versions with a GA date within the trailing 12 months.
+- CVE patches are backported to all minor releases within their 12-month window when the CVE is triaged.
+
+### Upbound Crossplane (UXP)
+
+Minor releases ship aligned to the upstream Crossplane release cadence,
+targeting a new minor version around every 6 weeks (around 8 to 9 per
+year). Patch releases are cut as needed between minor releases for Critical and
+High CVEs.
+
+- Each minor release is supported for 12 months from its GA date.
+- With a ~6-week cadence, customers can expect around 8 to 9 concurrently supported minor versions at any time.
+- CVE patches are backported to all minor releases within their 12-month window at the time the CVE is triaged.
+
+### Upbound Spaces and Hub
+
+<!-- vale write-good.Weasel = NO -->
+Minor releases ship on a quarterly cadence, targeting 4 minor releases per year.
+Patch releases are cut as needed between minor releases for Critical and High
+CVEs.
+<!-- vale write-good.Weasel  = YES -->
+
+- Each minor release is supported for 12 months from its GA date.
+- With a quarterly cadence, customers can expect up to 4 concurrently supported minor versions at any time. This typically means the 3 to 4 most recent.
+- CVE patches are backported to all minor releases within their 12-month window at the time the CVE is triaged.
+
+Upbound bundles Kubernetes, UXP, and other infrastructure components within
+Spaces. CVEs in bundled dependencies are evaluated and patched under the same
+SLAs as first-party CVEs. Upbound publishes a software bill of materials (SBOM)
+for each release to support customer vulnerability tracking.
+
+## How Upbound triages CVEs
+
+All customer-reported CVEs and defects are triaged by the responsible team's
+Product Manager (PM), Engineering Manager (EM), and Technical Lead (TL). This
+group confirms severity, assesses business impact, assigns ownership, and drives
+the issue to resolution within the applicable SLA.
+
+Triage cadence is determined by severity:
+<!-- vale alex.ProfanityUnlikely = NO -->
+<!-- vale Microsoft.Adverbs = NO -->
+<!-- vale alex.LGBTQ = NO -->
+- **Critical**: Triaged on-demand. The team's on-call engineer is paged immediately. The PM, EM, and TL convene as soon as possible to assess impact and assign remediation ownership. Remediation is treated as an immediate priority,
+bypassing normal sprint processes.
+- **High**: Triaged twice per week as part of the team's regularly scheduled backlog grooming. Newly identified High severity CVEs are added to the grooming agenda and reviewed at the next available session.
+- **Medium and Low**: Triaged bi-weekly as part of normal Sprint Planning. These issues are reviewed, prioritized relative to other work, and scheduled into a future sprint at the team's discretion.
+<!-- vale Microsoft.Adverbs = YES -->
+<!-- vale  alex.ProfanityUnlikely  = YES -->
+<!-- vale alex.LGBTQ = YES -->
+
+## Scope limitations
+
+Upbound reserves the right to decline remediation for false positives or CVEs
+that aren't present in the executable code path of the Upbound Platform
+products.
+
+[cves]: https://nvd.nist.gov/general/cve-process
+[cvss3]: https://nvd.nist.gov/vuln-metrics/cvss

utils/vale/styles/Upbound/spelling-exceptions.txt

@@ -200,6 +200,8 @@ onboarding
 XRCs
 ARNs
 autogenerated
+triaged
+triages
 Traefik
 Traefik's
 HTTPRoute