Vulnerability Remediation SLA
Our Commitment to Security
At Specmatic.io, we take security seriously. Ensuring the security and integrity of our software, users, and the broader development ecosystem is a top priority. We proactively monitor, assess, and respond to potential vulnerabilities — both in Specmatic itself and across its software supply chain.
We follow modern security practices, regularly audit our codebase and dependencies, and release updates frequently to address bugs, improve performance, and enhance security. Specmatic is typically released every few weeks, and many of these releases include dependency upgrades and other security improvements.
We strongly encourage all users to keep their Specmatic installations up to date to benefit from the latest security patches and enhancements.
Scope of This SLA
This SLA outlines our triage and remediation timelines for:
- Vulnerabilities in Specmatic Core – issues in the Specmatic source code, logic, or configurations.
- Vulnerabilities in the Software Supply Chain – issues in third-party libraries and tools used within Specmatic.
1. Vulnerabilities in Specmatic Itself
| Severity Level | Description | SLA for Triage | SLA for Remediation | Mitigation Notes |
|---|---|---|---|---|
| Critical | Actively exploited or easily exploitable with severe impact (e.g., RCE, data leakage) | Within 1 day | Within 7 days | Immediate patch or workaround if possible |
| High | Easily exploitable, high-impact, but not actively exploited | Within 2 days | Within 14 days | |
| Medium | Exploitable under certain conditions or limited scope | Within 5 days | Within 30 days | |
| Low | Informational or minor impact (e.g., missing headers, verbose error messages) | Within 10 days | Within 90 days | May be scheduled with regular release cycle |
2. Vulnerabilities in Software Supply Chain (Dependencies)
| Severity Level | Description | SLA for Triage | SLA for Remediation | Mitigation Notes |
|---|---|---|---|---|
| Critical | Vulnerability in a direct or transitive dependency with active exploitation or major CVE score | Within 2 days | Within 14 days | Update or replace affected component |
| High | Known vulnerability with a CVSS score ≥ 7.0 but no known active exploitation | Within 3 days | Within 21 days | |
| Medium | CVSS score 4.0–6.9, limited exposure or mitigated by usage context | Within 7 days | Within 45 days | May be deferred until routine updates |
| Low | CVSS score < 4.0, negligible impact or internal-only components | Within 10 days | Within 90 days | May be deferred until routine updates |
Note: Specmatic will remediate supply chain vulnerabilities only if a fix is available (e.g., a patched version of the dependency has been released). If no fix is available, we will apply compensating controls or monitor until an update becomes possible.
Remediation Process
- Detection – Vulnerabilities are identified via automated scanners (e.g., Snyk, OWASP Dependency-Check), community reports, or internal testing.
- Triage – The issue is categorized based on severity and impact.
- Remediation – Our team develops, tests, and integrates the fix. For third-party dependencies, we will upgrade to a patched version if one is available.
- Release – The fix is included in the next scheduled release, or in an expedited patch if severity demands it.
- Communication – Critical vulnerabilities are communicated via appropriate channels in accordance with our disclosure policy.
User Recommendations
To ensure the highest level of security:
- Always use the latest available version of Specmatic.
- Subscribe to release announcements or monitor our release notes to stay informed about security updates.
- Report any suspected vulnerabilities to us responsibly through our security contact or disclosure process.