EXHIBIT A ActiveState CVE SLA and Support Services
ver. December 10, 2025
This Exhibit A is subject to and forms part of the ActiveState Master Terms of Service (“TOS”). The CVE remediation commitments described in this Exhibit apply only to ActiveState’s Managed Distributions, unless otherwise stated. Standard Support Services and associated Service Level Agreements (SLAs) described below apply only to Customers with a current, paid subscription to ActiveState’s Business or Enterprise Products and Services. No support obligations apply to Products or Services made available on Free Tier, including those downloaded or accessed without payment via the ActiveState Platform. Capitalized terms used but not defined in this Exhibit have the meanings given to them in the TOS.
I. Common Vulnerabilities and Exposures (“CVEs”)
1. Eligible Fix
ActiveState will use reasonable commercial efforts to address CVEs affecting exclusively ActiveState Managed Distributions, as defined in the ActiveState Master Terms of Service (“TOS”). CVEs will qualify for remediation under this Service Level Agreement (“SLA”) if all of the following requirements are met (“Eligible Fix”):
- The CVE is detected through ActiveState’s standard vulnerability monitoring processes and confirmed to affect an ActiveState Managed Distribution..
- The CVE can be fixed on its own without needing broader changes tied to unrelated bugs
- If the CVE remediation does not introduce incompatible changes to the project or requires novel work.
- One of the following conditions is met:
- an upstream fix is publicly available and verified by a credible and independent third party to fix the CVE, or
- an affected Managed Distribution can be rebuilt with updated compilers and/or libraries to remediate that CVE; and
- the CVE relates to a Managed Distribution in use and not to any combination with or use of an Ecosystem or Operating System not supported by ActiveState.
2. Severity Scoring.
ActiveState will use the severity rating determined by the Common Vulnerability Scoring System (CVSS”) version 3 for an Eligible Fix, further described at https://nvd.nist.gov/vuln-metrics/cvss.
3. Patching.
- 3.1 ActiveState will make commercially reasonable efforts to patch CVEs in Managed Distributions within the following timeframes, starting from when an Eligible Fix becomes publicly available:
- Critical Severity: within five (5) business days.
- High Severity: within ten (10) business days.
- Medium and Low Severity: within thirty (30) business days.
- If possible, in the event of a High Impact CVE Event, ActiveState will use commercially reasonable efforts to rebuild the affected Managed Distribution outside of the SLA times.
- 3.2 A “High Impact CVE Event” means an event in which one or more vulnerabilities affect multiple components simultaneously, requiring remediation in any of the following scenarios:
- A vulnerability in a single component that is a dependency of many components, such as OpenSSL, requiring all affected components to be rebuilt with special handling, such that an infrastructure change is required (an image or builder), or that twenty percent (20%) or more of the components need to have individual patches to handle the vulnerability from the dependency.
- Three (3) or more vulnerabilities that require patching simultaneously related to the same root cause.
4. Remediation
A CVE will be considered remediated when any of the following occur:
- an updated version of the affected Managed Distribution is published to the ActiveState hosted registry,
- the CVE is no longer detected through ActiveState’s standard vulnerability monitoring processes and confirmed to not affect an ActiveState Managed Distribution
- the CVE has been clearly marked as fixed in the ActiveState security fixes feed. In the event a Managed Distribution includes FIPS validated components ActiveState will remediate CVEs as described above, unless remediating would void the FIPS validation.
5. ActiveState Package Catalog
The ActiveState Package Catalog is a curated collection of Artifacts or Components sourced from various Ecosystems, which have been vetted, built, and made available for inclusion in Distributions and Runtimes ("Package Catalog"). ActiveState will make commercially reasonable efforts to remediate CVEs it identifies in the Package Catalog. However, the CVE remediation timelines and service levels described in this document do not apply to the Package Catalog. To address CVEs in the Package Catalog, ActiveState may use one or more of the following methods:
- Building the affected Artifacts or Components using the latest publicly available version from the corresponding source code;
- Updating one or more Artifacts or Components to newer versions where applicable. ActiveState will also take reasonable steps to validate that Package Catalog components continue to work with upstream versions of publicly available packages. However, because the Package Catalog includes modified versions of public available packages, exact functional equivalence is not guaranteed. It is the User’s responsibility to confirm that packages from the Package Catalog meet their functional requirements. ActiveState is not responsible for how these packages are used in the User’s environment.
II. SUPPORT SERVICES
Upon payment of all applicable Fees to ActiveState and only during the Term of the Order Form, ActiveState will provide the following support services (the “Support Services”):
1. Business Tier Standard Support Services: The following SLA and support services apply exclusively for Business Tier Services: ActiveState’s will provide email support to a maximum of one named (1) contact Monday to Friday, 8am to 5pm PST, excluding U.S. Federal holidays in accordance with the response times set forth below:
%20(1).webp)