Update support-policies.md

AndreiBarbu95 · web-flow · commit 310bd6c7f240 · 2024-05-23T18:48:17.000+03:00
Added the scenario in which we explain the customers that we don't support vulnerabilities for non-AKS managed images and instructions that they should filter the lists before sending to Microsoft support
diff --git a/articles/aks/support-policies.md b/articles/aks/support-policies.md
@@ -82,6 +82,7 @@ Microsoft doesn't provide technical support for the following scenarios:
 * Network customizations other than the ones listed in the [AKS documentation](./index.yml).
 * Custom or third-party CNI plugins used in [BYOCNI](use-byo-cni.md) mode.
 * Stand-by and proactive scenarios. Microsoft Support provides reactive support to help solve active issues in a timely and professional manner. However, standby or proactive support to help you eliminate operational risks, increase availability, and optimize performance are not covered. [Eligible customers](https://www.microsoft.com/unifiedsupport) can contact their account team to get nominated for [Azure Event Management service](https://devblogs.microsoft.com/premier-developer/proactively-plan-for-your-critical-event-in-azure-with-enhanced-support-and-engineering-services/). It's a paid service delivered by Microsoft support engineers that includes a proactive solution risk assessment and coverage during the event.
+* Vulnerabilities / CVEs with a vendor fix that is less than 30 days old. As long as you're running the updated VHD, you shouldn't be running any container image vulnerabilities / CVEs with a vendor fix that is over 30 days old. It is customer responsibility to update the VHD and provide filtered lists to Microsoft support. Once you updated your VHD, it is customer responsibility to filter the vulnerabilities / CVEs report and provide a list only with vulnerabilities/CVEs with a vendor fix that is over 30 days old.  If that will be the case, Microsoft support will make sure to work internally and address components with a vendor fix released more than 30 days ago. Additionally, Microsoft provide vulnerability / CVE-related support only for Microsoft-managed components (i.e., AKS node images, managed container images for applications that get deploy during cluster creation or via the installation of a managed add-on). For more details about vulnerability management for AKS, please visit [this page](concepts-vulnerability-management.md).
 
 ## AKS support coverage for agent nodes
 
