Skip to main content

CVE remediation policy

note

Policy version: 1.0.0 Effective date: 15 June 2026

This policy covers CVE remediation across the Upbound Platform, including Upbound Crossplane (UXP), Spaces, and Official Providers. Crossplane OSS is out of scope.

CVE remediation SLAs

Security is a top priority for Upbound. Upbound actively monitors and addresses security vulnerabilities in its packages. Upbound will make reasonable commercial effort to ensure the images distributed as part of the Upbound Platform are free from Common Vulnerabilities and Exposures (CVEs) under the following conditions:

  • Upbound's vulnerability scanners identify a CVE affecting a package.
  • The CVE is independently fixable of any other bugs. For a CVE to be fixable, there must be an upstream release version available that has been verified to fix the CVE.

Upbound addresses each qualifying CVE based on its severity score under the Common Vulnerability Scoring System version 3 and notes exploitable issues:

SeveritySLA
Critical ExploitableWithin 7 business days from the date an upstream fix is publicly available
CriticalWithin 14 business days from the date an upstream fix is publicly available
HighWithin 30 business days from the date an upstream fix is publicly available
Medium and LowAddressed when upstream fixes are available, on an as-needed basis
Non-exploitableAddressed on an as-needed basis

Backport policy

Upbound backports CVE patches to supported minor releases when:

  • The release is within its 12-month support window, and
  • The CVE severity is Medium or higher, or
  • The fix is requested by an Enterprise or Business Critical customer on that release.

Low-severity CVEs are addressed in the next minor release only and aren't backported.

End of life

When a minor release exits its 12-month support window, it enters End of Life (EOL). EOL releases receive no further CVE patches. Customers on EOL releases should upgrade to a supported minor version. Upgrade guidance is published in the release notes. Where breaking changes exist, Upbound provides a migration guide.

Product support policies

The sections below describe the release cadence and CVE support window for each component of the Upbound Platform.

Official Providers

Minor versions ship on a continuous cadence as upstream providers and cloud APIs evolve. Patch releases are cut as needed against supported minor versions.

  • Each minor release is supported for 12 months from its general availability (GA) date.
  • The supported release set at any time is all minor versions with a GA date within the trailing 12 months.
  • CVE patches are backported to all minor releases within their 12-month window when the CVE is triaged.

Upbound Crossplane (UXP)

Minor releases ship aligned to the upstream Crossplane release cadence, targeting a new minor version around every 6 weeks (around 8 to 9 per year). Patch releases are cut as needed between minor releases for Critical and High CVEs.

  • Each minor release is supported for 12 months from its GA date.
  • With a ~6-week cadence, customers can expect around 8 to 9 concurrently supported minor versions at any time.
  • CVE patches are backported to all minor releases within their 12-month window at the time the CVE is triaged.

Upbound Spaces

Minor releases ship on a quarterly cadence, targeting 4 minor releases per year. Patch releases are cut as needed between minor releases for Critical and High CVEs.

  • Each minor release is supported for 12 months from its GA date.
  • With a quarterly cadence, customers can expect up to 4 concurrently supported minor versions at any time. This typically means the 3 to 4 most recent.
  • CVE patches are backported to all minor releases within their 12-month window at the time the CVE is triaged.

Upbound bundles Kubernetes, UXP, and other infrastructure components within Spaces. CVEs in bundled dependencies are evaluated and patched under the same SLAs as first-party CVEs.

Spaces Support Lifecycle

Minor VersionCurrent Minor Release DateLatest Patch ReleaseLatest Patch Release DateEnd of Support (EOL) Date
v1.172026-05-18v1.17.02026-05-182027-05-18
v1.162026-03-13v1.16.12026-05-222027-03-13
v1.152025-11-18v1.15.42026-05-222026-11-18
v1.142025-09-16v1.14.72026-05-222026-09-16
v1.132025-06-11v1.13.62026-03-162026-06-11