Vulnerabilities. Provider shall have controls in place to identify any security vulnerabilities in the Solutions during development and after release. Provider shall provide RSA written notice of: (a) publicly-acknowledged vulnerabilities/zero-day exploits within five (5) business days of the public acknowledgement, and (b) internally-known yet publicly-undisclosed vulnerabilities/zero-day exploits within ten (10) business days of their discovery. Provider commits to remediate all vulnerabilities identified in the Solutions at Provider’s expense, and to remediate vulnerabilities with a base score above 4 as defined by Common Vulnerability Scoring System in a timeframe commensurate with the risk or as agreed upon with RSA. Provider’s use of open source code shall not alter Provider’s responsibility to identify and remediate vulnerabilities as described here.
Appears in 4 contracts
Samples: Data Processing Addendum, Data Protection Agreement, www.rsa.com
