Goal

Manage vulnerabilities continuously so that all relevant CVEs can be addressed without impacting the mainstream feature and capability development. 

Why this matters

While product security is always a priority, development teams ending up with overwhelming volumes of CVEs is an universal problem

• Not all CVEs are created equal
• “Scan, patch, test and release everything” approach is not scalable/sustainable
• Need for Risk based prioritization approach
  • Contextualize risk (how critical is it for our product?)
    • Assess likelihood of occurrence (reachability analysis)
    • Business impact
    • Likelihood of occurrence X Business impact based prioritization      

Acceptance Criteria

• Agree upon acceptable risk tolerance
• List all relevant CVEs identified through existing channels 
• Team to conduct technical triage to contextualize risk (likelihood of occurrence)
• PO to Prioritize CVEs for remediation 
• Remediation by the team (consider automation in the long run, e.g, in tech triaging and remediation)