Vulnerability Management and Patch Cycles
Vulnerability management is the ongoing process of identifying, evaluating, prioritising, and remediating security vulnerabilities in your systems. Given the volume of new vulnerabilities disclosed daily, a structured approach is essential to focus effort where it matters most.
The Vulnerability Management Lifecycle
- Identify: Continuous vulnerability scanning of infrastructure and applications; monitoring of security advisories and CVE databases
- Evaluate: Assess each vulnerability against your environment — is the vulnerable component present? Is it exposed? Is there a mitigating control?
- Prioritise: Score by exploitability and impact. CVSS score, availability of public exploits, and exposure are key factors. Not all Critical CVSS scores are equally urgent.
- Remediate: Apply patches, update dependencies, implement mitigations, or accept risk with documented justification
- Verify: Confirm remediation was effective
- Report: Maintain a vulnerability register; report metrics to stakeholders
Patch SLAs
We recommend defining patch SLAs by severity:
- Critical: Patch or mitigate within 24–72 hours
- High: Within 7 days
- Medium: Within 30 days
- Low: Within 90 days
Patching in Production
Our deployment infrastructure enables zero-downtime patching for most updates. For major version upgrades requiring testing, we schedule patching with a defined maintenance window communicated in advance.