GitLab assigns a risk rating to identified vulnerabilities and prioritizes remediation of legitimate vulnerabilities according to the assigned risk.
It is not reasonable for GitLab to patch 100% of vulnerabilities every day so we need a method to prioritize the remediation. Since the goal of this remediation is to reduce to the risk to the organization, we should perform this prioritization by risk which starts with assigning risk to vulnerabilities as they are identified. This prioritization and remediation is among the best way to reduce risk to GitLab's customers and reputation since unresolved vulnerabilities are among the most common attacks to organizations.
This control applies to all production systems running GitLab's SaaS product.
For detailed implementation guidance relevant to GitLab team-members, refer to the full guidance documentation.
For all reference links relevant to this control, refer to the full guidance documentation.
For examples of evidence an auditor might request, refer to the full guidance documentation.