Version: 1.0 (2026-02-25)
CSA applies the following response targets to every in-scope vulnerability report.
- Target: Respond to the reporter within five business days via the same channel used for submission (GitHub PVR or security@cloudsecurityalliance.org).
- Purpose: Confirms receipt, shares the tracking identifier, and communicates the next expected milestone.
- Target: Provide a substantive update at least every 30 days while the issue remains open.
- Purpose: Keeps the reporter informed about investigation, remediation progress, or dependencies that may affect timing.
- Target: Resolve, mitigate, or coordinate publication within 90 days of acknowledgment.
- Negotiation: If the fix or publication cannot complete within 90 days, CSA and the reporter agree on a new timeline and record the decision in the case log.
- Acceleration: Critical issues may be addressed faster; CSA will communicate sooner whenever possible.
For each report CSA records:
- The date the report arrived and the channel used.
- When acknowledgment was sent and to whom.
- Dates of each status update (or reason if a monthly update was not required).
- The remediation or publication date, plus notes on any mutually agreed extensions.
This document is the authoritative source for SLA expectations referenced in the governance framework, disclosure policy, and handling process.