Vulnerability Management¶

Vulnerability management covers how the project detects, reviews, prioritizes, and resolves known security issues in dependencies and related infrastructure components.

Scope¶

This includes:

• automated vulnerability scanning
• dependency update signals such as Dependabot where relevant
• triage and prioritization workflows
• remediation tracking and follow-up

Relevant Tools¶

• GitHub security features and alerts where enabled
• Dependabot or similar dependency update mechanisms where relevant
• repository and CI workflows that surface findings

Typical Work Items¶

• document where vulnerability findings appear and who reviews them
• distinguish informational findings from issues that require action
• connect remediation work to dependency management and release planning
• make exceptions and risk acceptance decisions explicit when they occur

Why It Matters¶

Vulnerability management is most effective when it is part of normal platform operation rather than an occasional audit exercise. Clear workflows help maintainers focus on real risk and avoid losing findings in background noise.