GitLab assigns a risk rating to identified vulnerabilities and prioritizes remediation of legitimate vulnerabilities according to the assigned risk.
It is not reasonable for GitLab to patch 100% of vulnerabilities every day so we need a method to prioritize the remediation. Since the goal of this remediation is to reduce to the risk to the organization, we should perform this prioritization by risk which starts with assigning risk to vulnerabilities as they are identified. This prioritization and remediation is among the best way to reduce risk to GitLab's customers and reputation since unresolved vulnerabilities are among the most common attacks to organizations.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Vulnerability Remediation control issue.