Gitlab hero border pattern left svg Gitlab hero border pattern right svg

VUL.3.01 - Infrastructure Patch Management Control Guidance

VUL.3.01 - Infrastructure Patch Management

Control Statement

GitLab installs security-relevant patches, including software or firmware updates; identified end-of-life software must have a documented decommission plan in place before the software is removed from the environment.


This control details security best practices in relation to infrastructure patching. This control is trying to ensure that all GitLab productions systems are up to date according to our own patching standards. We need to prove that patching is prioritized and we consistently apply all possible patches and decommission systems as appropriate.


This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting and its subdomains. This may include third-party systems that support the business of


Control Owner:

Process Owner:


Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Infrastructure Patch Management control issue.

Policy Reference

Framework Mapping