Vulnerability Window

I. Formal Definition

The interval between the public disclosure of a vulnerability affecting a federation member's software bill of materials and the deployment of a fix or compensating control across the full affected estate. The vulnerability window is a measurable property of the patching pipeline, not a policy aspiration. The federation requires that windows be reported by severity tier, that the percentile distribution be disclosed, and that exceptions exceeding the federation maximum be documented with a written compensating control plan.

II. Etymology

Term in security engineering literature since the 1990s; the federation usage tightens an otherwise variable industry definition.

III. Federation Usage

Federation maximum windows are seven days for critical, thirty days for high, ninety days for medium, and one hundred eighty days for low. Persistent breach of the critical or high window is reported under TGS-002:1.7 as an operational finding.

IV. Related Terms

• control-evidence
• mitre-attack
• soc2
• iso-27001

V. Authoritative Citations

• UFMS-001:2.4UFMS Article II - Patching Windows
• TGS-002:1.7TGS Title II - Patching Conduct

VI. Citation in BibTeX

@misc{ifo4_glossary_vulnerability_window,
  title        = {{Vulnerability Window}},
  author       = {{IFO4 Federation Editorial Board}},
  howpublished = {{IFO4 Federation Glossary, slug \texttt{vulnerability-window}}},
  year         = {2026},
  url          = {https://ifo4.org/glossary/vulnerability-window},
  note         = {Category: SecOps; key: VulnerabilityWindow}
}

VII. Challenge This Definition

Federation members and accredited practitioners may challenge any entry under TGS-002:1.7. Filed challenges are routed to the editorial board, triaged into the revision register, and resolved in writing on the public docket. The slug remains stable through any revision.