Skip to main content
Minimus is committed to patching vulnerabilities in its images within the following timeframes:
  • A critical or high severity vulnerability will be remediated within 48 hours from the time a new release is available from the upstream project that fixes the vulnerability.
  • All other vulnerabilities (Medium, and Low severity) will be remediated within 14 calendar days from the date a new release is available from the upstream project that fixes the vulnerability.
The above targets are provided under the applicable Minimus Vulnerability Remediation Policy. Contact us for further information

Supplementary remediation policies

  • In the event of high-profile CVEs that impact low-level, widely used packages, Minimus will take commercially reasonable efforts to rebuild all images promptly.
  • Backporting security fixes - Under certain conditions, Minimus may backport select fixes. See below
  • Cherry-pick vulnerability fixes - Under certain conditions, Minimus may patch a vulnerability before the fix is officially committed to the project’s upstream. Learn more

Backporting fixes

Backporting a fix is the concept of applying a fix from a newer version to an older version. In rare circumstances, Minimus may backport select fixes from upstream packages and libraries into Minimus images. Minimus is focused on maintaining 100% compatibility with upstream sources. However, there are circumstances where the security needs of our customers or the risk associated with a vulnerability in a specific package require more aggressive attention from the Minimus security and engineering teams. In these instances, while Minimus waits for an upstream fix, it may backport a patch to mitigate the risk for users until the fix is available upstream.

Package rebuilds following compiler updates

Minimus automatically rebuilds packages whenever there is a change to the code in the upstream. In contrast, compiler updates will only trigger a package rebuild if it will patch vulnerabilities. That is, a package will be rebuilt following a compiler update only if the new compiler version will impact the security posture of the package. For example, the mongo-tools package is compiled with Go. If Go releases a new version, the existing mongo-tools package will only be rebuilt if the Go compiler version delivers vulnerability fixes.