Vulnerability Resolution Statement
SAS does not guarantee any particular timeframe or breadth of availability for resolution of any specific security issue or class of security issues.
In an effort to provide the best possible security posture for all customers, SAS applies the following principles to prioritize its vulnerability resolution and security update efforts:
- Use commercially reasonable efforts to resolve vulnerabilities and make security updates available to customers.
- Stay committed to continuous improvement in the availability, ease, and timeliness of security updates for SAS software.
- Prioritize vulnerabilities for resolution using Common Vulnerability Scoring System (CVSS) scores and other relevant risk factors.
- Focus efforts to make security updates available to customers by using the following priority order:
1. Releases that are in development.
2. The latest release that is under standard support.
3. Prior releases, for which backports of security updates are made available based on case-by-case evaluation.
A key aspect of secure software is having current versions. SAS strongly recommends that customers stay current with releases and updates for their SAS products. In this regard, customers have an essential role in helping SAS secure their SAS software.