Patch and Vulnerability Management

How We Find Vulnerabilities

Our dependencies and container images are scanned continuously for known vulnerabilities, and new findings open automatically as security work. We monitor vendor and ecosystem advisories so that newly disclosed and zero-day issues in the software we rely on reach us quickly. We also welcome reports from outside researchers. Anyone can report a suspected vulnerability through our Responsible Disclosure program, and every good-faith report is acknowledged and triaged on the same track as our internal findings.

Severity and Remediation Timeframes

Every confirmed vulnerability is scored using the Common Vulnerability Scoring System (CVSS v3.1) and validated to rule out false positives. The score sets the priority and the deadline, so a fix is never left to discretion alone. Critical: remediated within 5 business days. High: within 10 business days. Medium: within 30 business days. Low: within a commercially reasonable timeframe. Where a fix depends on an upstream provider, we apply mitigations in the meantime and track the issue until it is fully resolved.

How We Patch Safely

Changes are tested on an isolated staging environment that holds no real customer data before they reach production. Infrastructure and configuration are defined as code and version-controlled, so every patch is reviewed, repeatable, and auditable rather than applied by hand to live servers. Deployments are zero-downtime and ship many times a day, so security fixes reach customers without a maintenance window. After a fix is deployed, we re-verify that the vulnerability is actually closed rather than assuming the patch worked.

What this means for customers

• Continuous automated scanning of dependencies and container images
• CVSS v3.1 severity scoring with defined remediation deadlines
• Critical issues remediated within 5 business days
• Every patch tested on isolated staging before production
• External researchers can report through our Responsible Disclosure program