It's the morning of a major release and a critical CVE (CVSS 9.8) drops for a library you ship. Walk me through your triage and decision.
Expected Points
- ✓Immediately assess exploitability: is the vulnerable function called in your code paths? Check if your usage matches the attack vector (e.g. the CVE requires parsing attacker-controlled XML — do you parse untrusted XML?).3
- ✓Identify if a patched version is available and estimate patch effort. If a drop-in patch exists, factor the time to patch, test, and release vs. shipping with a compensating control.3
- ✓Assess compensating controls if you can't patch in time: WAF rule to block the attack pattern, isolate the affected service, or block the vulnerable endpoint temporarily.2
- ✓Escalate the go/no-go decision to the release owner and relevant stakeholders with a clear risk summary — exploitability, business impact of delaying vs. shipping, and your recommendation.2
- ✓If you ship: document the accepted risk, create a P1 remediation ticket with an SLA, and ensure monitoring is in place to detect exploitation attempts.2
- ✓Kick off a process improvement: automated SCA (Software Composition Analysis) in CI should have caught this pre-release, not at release time. Review and tighten the pipeline.1
A critical CVE mid-release forces a rapid risk triage: is the vulnerable code path reachable, what is the blast radius, and can you patch-and-release faster than an attacker can weaponize the issue? The goal is to make an informed go/no-go call with data, not panic.