For industry reported vulnerabilities on Rancher, Kubernetes, and Docker, Rancher Labs strives to adhere to the DHS BOD 19-02 guideline as posted here. At a high-level, it would be along the lines of the following:
- Critical vulnerabilities must be remediated within 15 calendar days of initial detection.
- High vulnerabilities must be remediated within 30 calendar days of initial detection.
In practice, for the Kubernetes and Docker scenario, Rancher Labs generally makes available relevant Rancher patch releases same day (to same week) as when the related upstream Kubernetes or Docker patch is made available. For example, the recent Rancher v2.2.9 and v2.3.1 releases were made available to address Kubernetes CVE-2019-11253 and CVE-2019-1627 same day as when upstream Kubernetes made available the patches for them.