Security vulnerabilities

As used below, these capitalized terms have the following meanings:

  1. “Error Corrections” mean bug fixes and revisions that correct errors or deficiencies, including Security Vulnerabilities, in the Deliverables.
  3. “Security Vulnerability” means a state in the design, coding, development, implementation, testing, operation, support, maintenance, or management of a Deliverable that allows an attack by anyone that could result in unauthorized access or exploitation, including without limitation (A) access to, controlling or disrupting operation of a system, (B) access to, deleting, altering or extracting data or (C) changes of identity, authorizations or permissions of users or administrators. A Security Vulnerability may exist regardless of whether a Common Vulnerabilities and Exposures (CVE) ID or any scoring or official classification has been assigned to it. For clarity, the following are examples of Security Vulnerabilities: third-party code or end- of-service (EOS) open source code that no longer receive security fixes.
  5. “Mitigation” means any known means of lessening or avoiding the risks of a Security Vulnerability.


Collab represents and warrants that it will (i) use then-current industry-standard best practices to identify Security Vulnerabilities, including through continuous: static and dynamic source code application security scanning, open source security scanning and system vulnerability scanning, and (ii) help prevent, detect and correct Security Vulnerabilities in Deliverables and in all Information Technology (“IT”) applications, platforms, and infrastructure in and through which it creates and provides Services and Deliverables.


If Collab becomes aware of a Security Vulnerability in a Deliverable or any such IT applications, platforms, or infrastructure, will provide an Error Correction and Mitigations for all versions and releases of the Deliverables in accordance with the following Severity Levels and time frames:


Severity Level*

Severity 1 - is a critical Security Vulnerability as agreed between Client and Collab, regardless of CVSS Base Score. Both parties must evaluate whether public reports generally categorize the vulnerability as critical; actual or suspected exploitation; customer inquiries or concerns; and any other reasonably relevant factor. Notwithstanding any other time frame contained in any Agreement, Supplier must provide Mitigations for a Severity 1 Security Vulnerability on an immediate basis.

Severity 2 – is a Security Vulnerability that has a CVSS Base Score from 7.0 to 10.0<

Severity 3 – is a Security Vulnerability that has a CVSS Base Score from 4.0 to 6.9

Severity 4 – is a Security Vulnerability that has a CVSS Base Score from 0.0 to 3.9


Time Frames (calendar days)<

Asset type

Severity 1

Severity 2

Severity 3

Severity 4


30 days

90 days

180 days

180 days

* In any case where a Security Vulnerability does not have a readily assigned CVSS Base Score, Collab will propose a Severity Level (1, 2, 3 or 4) that is appropriate for the nature and circumstances of such vulnerability.


For a Security Vulnerability that has been publicly disclosed and for which Collab has not yet provided any Error Correction or Mitigation to the Client, Collab will implement any technically feasible additional security controls that may mitigate the risks of the vulnerability.


Collab will update the Client promptly, either directly or by way of communication to Collab's customer base, of any changes to any Severity score and the rationale and justifications for such changes.


If the Client is dissatisfied with Collab’s response to any Security Vulnerability in a Deliverable or any application, platform, or infrastructure referenced above, then without prejudice to any other rights of the Client under any Agreement or at law or equity, Collab will promptly arrange for the Client to discuss its concerns directly with a Collab Vice President or equivalent executive that is responsible for delivery of the Error Correction.