Vulnerability Management. Vendor shall ensure that all Vendor assets, systems or software used to store, process, transmit or maintain Confidential Information are protected from known, discovered, documented, and/or reported vulnerabilities to external threats to functionalities or security by installing applicable and necessary security patches within a reasonable timeframe. As a baseline for reasonableness, Vendor must, at least, provide critical security patches immediately, high security patches within 1 month of release, medium security patches within 60 days, and low security patches within 90 days. Security patch severity will be categorized using the Common Vulnerability Scoring System and the timeframes begin upon the earlier to occur of: (a) the date Customer notifies Vendor of a vulnerability; (b) the date Vendor becomes aware of the vulnerability; or (c) the date the vulnerability is published with Common Vulnerabilities and Exposures.
Appears in 5 contracts
Samples: Master Purchase Agreement for Services, Master Purchase Agreement for Services, Master Purchase Agreement for Services