CVE Remediation: Official vs Community Providers
Last updated: March 6, 2026
Official (Upbound) Providers
Official providers are maintained by Upbound and marked as "Upbound Official" on the Upbound Marketplace. These providers include CVE Remediation, Backporting, and are Upbound signed under Security & Maintenance.
CVE remediation for official providers is included under your support agreement. If a vulnerability is identified in an official provider image, raise a support ticket and our team will investigate, confirm impact, and coordinate a fix or updated image.
Remediation SLAs
Once an upstream fix is available, Upbound targets the following timelines for releasing a patched image to the Marketplace:
CVSS Severity | Target Timeline |
Critical | Within 7 calendar days from the date an upstream fix is publicly available. |
High / Medium / Low | Within 14 calendar days from the date an upstream fix is publicly available. |
Unknown severity | Within 30 calendar days from the date an upstream fix is publicly available |
Support Windows and Backport Eligibility
Official providers receive security support for 12 months from the release date of each minor version. By default, security fixes are backported to minor releases published within the last 6 months. If you require a backport to an older release, contact support to discuss eligibility.
Community Providers
Community providers are maintained by the open-source community and marked as "Community" on the Upbound Marketplace.
CVE remediation for community providers is not covered under your support agreement. Upbound does not maintain or publish patched images for community providers.
Options for Community Provider CVEs
Professional Services: Upbound can assist with rebuilt images, hardening guidance, or migration to an official provider alternative through a Professional Services engagement. Contact your Solutions Architect to scope this.
Self-remediation: As community providers are open source, your team can rebuild the image from source with updated base images or dependencies.
Migration: Where an official Upbound provider equivalent exists, consider migrating to the supported alternative.
How to Identify Your Provider Type
Check your provider on the Upbound Marketplace.
Official providers display the "Upbound Official" badge and show CVE Remediation under Security & Maintenance.
Community providers display the "Community" badge.
You can also filter by tier directly:
For full details on release cadence and support policies, see the Package Policies documentation.
whereQuestions?
If you're unsure whether your provider is covered, raise a support ticket and we'll confirm.