Skip to main content
Minimus is committed to patching vulnerabilities in its images within the following timeframes:
  • A critical or high severity vulnerability will be remediated within 48 hours from the time a new release is available from the upstream project that fixes the vulnerability.
  • All other vulnerabilities (Medium, and Low severity) will be remediated within 14 calendar days from the date a new release is available from the upstream project that fixes the vulnerability.
The above targets are provided under the applicable Minimus Vulnerability Remediation Policy. Contact us for further information

Supplementary remediation policies

  • In the event of high-profile CVEs that impact low-level, widely used packages, Minimus will take commercially reasonable efforts to rebuild all images promptly.
  • Backporting security fixes - Under certain conditions, Minimus may backport select fixes. See below
  • Cherry-pick vulnerability fixes - Under certain conditions, Minimus may patch a vulnerability before the fix is officially committed to the project’s upstream. Learn more

Backporting fixes

Backporting a fix is the concept of applying a fix from a newer version to an older version. In rare circumstances, Minimus may backport select fixes from upstream packages and libraries into Minimus images. Minimus is focused on maintaining 100% compatibility with upstream sources. However, there are circumstances where the security needs of our customers or the risk associated with a vulnerability in a specific package require more aggressive attention from the Minimus security and engineering teams. In these instances, while Minimus waits for an upstream fix, it may backport a patch to mitigate the risk for users until the fix is available upstream.