▲ | marcc 2 days ago | ||||||||||||||||
We often deliver in way less than 6 days but sometimes the dependency tree is deep for a patch. I've seen most auditors mandate 30 days for Critical, but you clearly want to move a lot quicker than that. | |||||||||||||||||
▲ | grantlmiller 2 days ago | parent | next [-] | ||||||||||||||||
the goal is going to be 6 hours! | |||||||||||||||||
▲ | mike_d 2 days ago | parent | prev [-] | ||||||||||||||||
> I've seen most auditors mandate 30 days for Critical, but you clearly want to move a lot quicker than that. You seem to fundamentally not understand security. A proper security program should never be driven by an auditors expectations or even used as a reasonable guideline. Don't track CVEs and SLAs in days. You need to have patches out before active exploitation in the wild begins, that is the only metric that matters. Go talk to Greynoise about how to get that data. | |||||||||||||||||
|