The US government has just reduced the official critical vulnerability remediation timeline from 30 days after a report has been issued to 15 days after detection, according to the freshly published DHS BOD 19-02.
This announcement is significant not least of all because I don’t have to explain why a 30 day response timeline to critical vulnerabilities exists on the Internet. “It’s an outlier because government” only goes so far. Wonderful to see the change, even though it’s still far from the 24 hour turnaround expected in commercial space.