Terms & Policies
Learn more about Chainguard policies and our legal documents.
Last Updated April 01, 2025
Chainguard SLA
Common Vulnerabilities and Exposures. Chainguard will use commercially reasonable efforts to address common vulnerabilities and exposures (“CVEs”) for Chainguard’s published collection of images (the “Guarded Images”) as covered by this SLA, provided the CVEs meet all of the following requirements (a “Qualifying Patch”):
Scanners used by Chainguard identify a CVE affecting a Guarded Image;
The CVE is independently fixable of any other bugs;
The CVE does not require the recompilation of more than one quarter (or 25%) of all Guarded Images (a “Major CVE Event”);
Either (i) there is an upstream release version available which a credible and independent third party has verified fixes the CVE (i.e. the project maintainers have release notes or code commit message designating a fix to the CVE) or (ii) an affected Guarded Image can be rebuilt with updated compilers and/or libraries to remediate that CVE; and
The CVE is not related to any image being used on, in combination with, or caused by an operating system not provided by Chainguard.
Severity Scoring. Chainguard may assign each CVE meeting the above criteria a severity score according to the Common Vulnerability Scoring System version 3, in accordance with the standards described at https://nvd.nist.gov/vuln-metrics/cvss. In addition, to the extent Customer requests a CVE severity score, Chainguard may elect to evaluate such CVE to determine, in good faith, the applicable CVE severity score.
Patching. Chainguard shall use commercially reasonable efforts to patch CVEs in Guarded Images within the estimated timeframe set forth below.
Critical Severity: 7 calendar days from the date a Qualifying Patch is publicly available.
High, Medium, and Low severity - 14 calendar days from the date a Qualifying Patch is publicly available.
In the event a CVE does not meet the requirements of a Qualifying Patch due to a Major CVE Event, Chainguard will use commercially reasonable efforts to rebuild all images promptly.
Remediation. A CVE will be considered patched when any of the following occur:
an Image or update to the Chainguard software is published to the Chainguard hosted registry; or
the CVE is either: a) not reported when passing the published image through Grype and Vexctl; or b) has been demonstrably added to the Chainguard security fixes feed.
In the event an image contains components that are FIPS validated, Chainguard will remediate any CVE in line with the above considerations, unless remediating would void the FIPS validation.
Libraries
Chainguard will take commercially reasonable efforts to remediate CVEs identified by Chainguard in Chainguard Libraries (“Libraries”), provided, however, the parties agree that the SLAs set forth in this document do not apply to Libraries.
Chainguard will use one or more of the following methods in order to remediate CVEs in Libraries:
Building the latest publicly available version from the source code for such Library;
Update subcomponents of a Library, as applicable, to the latest publicly available version of those same components of the Library.
Chainguard will make commercially reasonable efforts to test the functionality of its Libraries with upstream versions of publicly available libraries (“Public Libraries”) to maintain a reasonably comparable functionality. However, Chainguard Libraries are a modified version of the equivalent Public Library, and Libraries may not provide identical functional equivalence to Public Libraries. Customers are responsible for ensuring that the functionality of the Libraries are appropriate for their intended purpose and uses, and in no event shall Chainguard be responsible for Customer’s intended use.