Each origanization has their own policies for prioritizing vulnerabilities, but here’s how EdgeBit recommends it:
You can find a live list of these vulnerabilites in the Overview page of the Edgebit Console.
Engineers regularly see security context inside of their pull requests on components but a security team doesn’t have the same day-to-day interaction.
Security staff can look at the full list of vulnerabilities for the actively deployed versions of each component and verify that SLAs are being followed or identify where the SLA has been breached.
When investigating a specific app version, digging into the SBOM is a great place to start. You’ll see info about the type of package detected, the severity of the vulnerability and whether it’s been fixed, or won’t ever be fixed.
