A vulnerability that meets all four criteria would need to be fixed within three days, for instance.