A new CVE disclosure: IPS release timing, missing signatures, and default action, and if no PoC is found

• What is the approximate time for Palo Alto Networks to provide coverage for a newly published CVE?
• What are the factors for a CVE to be a good candidate for an IPS signature? 
• What is the default action for newly created IPS signatures?
• Why some CVEs do not have signatures?

• All PAN-OS 
• All PAN products 
• Vulnerability signatures

Question 1:  What is the approximate time for Palo Alto Networks to provide coverage for a newly published CVE?
Answer: The U.S. Department of Homeland Security(DHS) Cybersecurity Division and Infrastructure Security Agency(CISA) keeps records and gives the name(and ID) to Common Vulnerabilities and Exposures (CVEs). 

• A valid proof of concept(POC) should be publicly available for Palo Alto engineers to create a protection or vulnerability signature. Engineers and security researchers use the PoC to recreate the vulnerability to create protection; no PoC means no signature. The absence of a signature does not necessarily indicate that your network is at risk. If no proof of concept (PoC) is available, it may suggest that potential attackers are unaware of the vulnerability or do not possess the knowledge to exploit it.
• CVEs should be network-based rather than host-based, as firewalls can only detect and block network traffic. Malicious traffic cannot be detected or blocked if it does not pass through the firewall.
• CVE Score If a CVE severity is low ( less than five) and it is not popular, the engineering team may decide to skip it.

Question 2:  What is the next step if no PoC is found?
Answer: Once a CVE is published, we put this into Palo Alto Networks' internal vulnerability monitoring system. This automatic system monitors all available public/private sources such as Telus, MAPP, GitHub, google bug, exploit-DB, internal bugs, and more.
Once this system finds the available PoC by automatical search, it sends a notification to the engineering team, and the team starts working on creating the signature if other conditions are matched.

Question 3:  How long does creating an IPS signature if PoC is found takes?
Answer: Creating a single quality vulnerability IPS signature goes through many phases, including researching, creation, soak testing, quality assurance, and tuning pre and post-release. It is tuned to cover every avenue of possible exploitation while avoiding creating a False Positive. 
It depends on the signature to signature; for critical exploits, we create a signature quickly and release in 911 release out of the regular release. 
Sometimes the Palo Alto Networks content development team may decide not to create an IPS signature with an existing valid network-based PoC due to other factors, such as the Common Vulnerability Scoring System (CVSS) score and the likelihood of not being used in an exploit.

Question 4:  What is the default action for the newly created IPS signature?
Answer:  We set the default action as 'alert' for the first few days to observe. The action can be changed based on severity. 
If you want to block traffic that matches the IPS signature with critical or high severity, you can create an IPS rule to override default action based on severity. For details, please have a look here.