From 7bff9c599558cbe1fb14f81e9e7f913800d737d2 Mon Sep 17 00:00:00 2001
From: Adam Vialpando <adam.vialpando@flagsmith.com>
Date: Mon, 4 May 2026 12:19:17 -0700
Subject: [PATCH] docs: add CVE remediation SLAs to support page

Document Flagsmith's CVE remediation SLAs (30/60/90 days for
critical/high, medium, and low) and the severity model based on
CVSS together with exploitability as Flagsmith uses the component.
---
 docs/docs/support/index.mdx | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/docs/docs/support/index.mdx b/docs/docs/support/index.mdx
index c5fd1e301e7b..61659984de33 100644
--- a/docs/docs/support/index.mdx
+++ b/docs/docs/support/index.mdx
@@ -32,6 +32,20 @@ Beyond that, many issues have already been solved. A quick search can save you t
   - [Rust](https://github.com/Flagsmith/flagsmith-rust-client)
   - [Elixir](https://github.com/Flagsmith/flagsmith-elixir-client)
 
+## CVEs and Vulnerability Reports
+
+### Remediation SLAs
+
+Severity is assigned using CVSS together with the exploitability of the component as Flagsmith uses it.
+
+| Severity      | Remediation SLA |
+| ------------- | --------------- |
+| Critical/High | 30 days         |
+| Medium        | 60 days         |
+| Low           | 90 days         |
+
+Flagsmith evaluates exploitability for each reported finding.
+
 ## What We Need From You
 
 When you do reach out, including the right information from the start makes a big difference. Here's what helps us