Most companies set ambitious service-level agreements (SLA) requiring vulnerabilities to be fixed within 14 days.