> ## Documentation Index
> Fetch the complete documentation index at: https://docs.minimus.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Vulnerability Remediation Policy

> Understand the Minimus vulnerability patching policy

Minimus is committed to patching vulnerabilities in its images within the following timeframes:

* A critical or high severity vulnerability will be remediated within 48 hours from the time a new release is available from the upstream project that fixes the vulnerability.
* All other vulnerabilities (medium and low severity) will be remediated within 14 calendar days from the date a new release is available from the upstream project that fixes the vulnerability.

The above targets are provided under the applicable Minimus Vulnerability Remediation Policy. [Contact us for further information](https://support.minimus.io/support/home)

### Supplementary remediation policies

* In the event of high-profile CVEs that impact low-level, widely used packages, Minimus will take commercially reasonable efforts to rebuild all images promptly.
* Backporting security fixes - Under certain conditions, Minimus may backport select fixes. [See below](#backporting-fixes)
* Cherry-pick vulnerability fixes - Under certain conditions, Minimus may patch a vulnerability before the fix is officially committed to the project’s upstream. [Learn more](/remediate/policies/cherry-pick-patches)

## Backporting fixes

Backporting a fix is the concept of applying a fix from a newer version to an older version. In rare circumstances, Minimus may backport select fixes from upstream packages and libraries into Minimus images.

Minimus is focused on maintaining 100% compatibility with upstream sources. However, there are circumstances where the security needs of our customers or the risk associated with a vulnerability in a specific package require more aggressive attention from the Minimus security and engineering teams. In these instances, while Minimus waits for an upstream fix, it may backport a patch to mitigate the risk for users until the fix is available upstream.

## Package rebuilds following compiler updates

Minimus automatically rebuilds packages whenever there is a change to the code in the upstream. In contrast, compiler updates will only trigger a package rebuild if it will patch vulnerabilities. That is, a package will be rebuilt following a compiler update only if the new compiler version will impact the security posture of the package.

For example, the mongo-tools package is compiled with Go. If Go releases a new version, the existing mongo-tools package will only be rebuilt if the Go compiler version delivers vulnerability fixes.