...
We have defined the following timeframes for fixing security issues:
Critical severity bugs to be fixed in product within 2 weeks of being reported
High severity bugs to be fixed in product within 4 weeks of being reported
Medium severity bugs to be fixed in product within 6 weeks of being reported
Low severity bugs to be fixed in product within 25 weeks of being reported