We all know we should be patching CVEs in our dependencies faster.Three forces are about to make that untenable.

01 · Features
Business requirements, roadmap
02 · CVEs
CVE patch requests
  • 97% of codebases are OSS1
  • 911 avg. components1
  • +263% CVE rate 2020→20252
  • AI agents accelerating3
NOW
P1 Salesforce & HubSpot integration v2
P1 AI-assisted report builder
P1 Multi-region data residency controls
NEXT
P2 Event streaming API (Kafka-compatible)
P3 White-label portal & custom domains
P3 Usage analytics & cost attribution v2
SOMEDAY
P4 Fix CVE-2024-3094 in LogArchiver CRITICAL
P4 Fix CVE-2024-6387 in BastionHost CRITICAL
P4 Fix CVE-2024-4577 in LegacyAPI CRITICAL
P5 Fix CVE-2024-0056 in APIGateway HIGH
P5 Fix CVE-2023-44487 in EdgeProxy HIGH
P5 Fix CVE-2024-1086 in NodeRuntime HIGH
P6 Fix CVE-2024-2961 in BaseImage MEDIUM
P6 Fix CVE-2024-3651 in EmailService MEDIUM
P6 Fix CVE-2023-52425 in SAMLAuth MEDIUM
P6 Fix CVE-2024-4741 in InternalRPC MEDIUM
P7 Fix CVE-2024-0397 in DataPipeline LOW
P7 Fix CVE-2023-6237 in MetricsCollector LOW
+844 more CVE tickets
3 CRITICAL
12 HIGH
03 · Customer compliance / infosec / auditors
Customer · pre-contract

“Our procurement questionnaire, required under DORA4 and EU CRA5, asks for a list of all open CVEs and a remediation timeline before we can proceed.”

Auditor · due diligence

“EU CRA Art.145 requires vendors to supply security updates for the product’s full support period. Please supply your CycloneDX SBOM and evidence of patching cadence before signing.”

Customer · renewal

“CVE-2024-3094 appeared in your SBOM at contract start. It is still unpatched. Our legal team needs a written remediation plan, required for our own DORA4 compliance filing.”

Auditor · ongoing

“DORA Art.194 requires initial notification within 4h of CRITICAL classification. CVE-2024-3094, -6387, and -4577 are all past that window. Please provide remediation status in writing.”

Does this resonate, or am I overstating it? I'm conducting a round of research and would love 30 minutes of your time to learn more. I'll share the (anonymised) research with all participants.

Book a 30-minute conversation
The conversation · three questions

Thirty minutes. I want to understand how the three forces above are showing up in your actual day-to-day, or whether they aren't, which is just as useful to know.

  1. 01

    Who owns the problem?

    Where does CVE-patching responsibility actually sit at your company: security team, platform/SRE, application teams, somewhere else, or nowhere in particular?

  2. 02

    What techniques are you using?

    Manual scan-and-triage; automated pipeline; third-party service; something more bespoke; or honestly, not much yet?

  3. 03

    Are verification demands hitting you yet?

    Are customers, auditors, or regulators already asking for proof of patching cadence, or is that still hypothetical at your scale?

I'm aggregating answers across everyone I talk to. Once I have enough, I'll share back the anonymised synthesis: what techniques are actually working, where the regulatory pressure is real-now vs hypothetical, and what patterns emerge across very different organisations. You get the synthesis, not just the satisfaction of helping me.

Get in touch · thirty minutes

This is customer discovery. I'm interviewing operators about how the three forces above are reshaping their work. Pick a slot below. You'll get the call notes back (anonymised) along with the aggregate synthesis once I've talked to enough people.

Who I am

Twenty-five years in software engineering, DevOps, SRE, and release engineering at Pivotal, VMware, Shopify, Mechanical Orchard. I work specifically on the supply-chain side: reproducible builds, SBOM generation, dependency provenance, CVE remediation pipelines. Lately, I've been discovering I love supervising LLM agents through this kind of work: the patient, tedious compliance grind that makes other engineers run away screaming. Based in Dublin.

References
  1. Black Duck Software. 2025 Open Source Security and Risk Analysis (OSSRA) Report. 2025. Sample: 965 commercial codebases across 16 industries, calendar year 2024. blackduck.com/…/rep-ossra.pdf
  2. National Institute of Standards and Technology (NIST). National Vulnerability Database — CVE submission statistics, 2020–2025. nvd.nist.gov/general/nvd-dashboard
  3. Anthropic. Project Glass Wing — Claude Mythos vulnerability-discovery research announcement. 2026-04-07. Named zero-days include a 27-year-old OpenBSD TCP flaw, a 16-year-old FFmpeg codec flaw, and CVE-2026-4747 (FreeBSD NFS RCE). anthropic.com/glasswing
  4. European Union. Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA). Article 19 reporting cadence: initial notification within 4 hours of classification; intermediate report within 72 hours; final report within one month. eur-lex.europa.eu/eli/reg/2022/2554/oj
  5. European Union. Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act). Requires vendors to declare vulnerabilities, provide security updates for the product's support period, and notify ENISA of actively exploited vulnerabilities within 24 hours. eur-lex.europa.eu/eli/reg/2024/2847/oj