Vulnerability & patch governance
Purpose: A defensible process from "CVE published" to "fixed in prod", covering AEM, dependencies and the stack beneath.
Who this page is for
| Audience | Why it matters to you |
|---|---|
| Tech leads / platform engineers | Process owners |
| All engineers | Dependency hygiene |
The surfaces you are patching
| Surface | Intake | Fix path |
|---|---|---|
| AEM product | Adobe security bulletins (subscribe, don't discover via news) | SP/hotfix via patching process |
| Java dependencies (yours) | SCA scanning in CI (OWASP dependency-check or equivalent) | Version bump PRs, prioritised by exploitability in YOUR usage |
| Frontend dependencies | npm audit / SCA on ui.frontend | Same |
| JVM / OS / web server / CDN config | Platform vulnerability management | Platform patch cadence |
| Your own code | Security checklist per PR + periodic pentest | Normal or hotfix path |
Triage that scales
Severity score is the start, not the answer. Triage each finding against reality: Is the vulnerable path reachable in our deployment? (dispatcher-blocked console CVE ≠ internet-reachable RCE) — which is one more reason the dispatcher probe suite stays green.
| Class | Clock |
|---|---|
| Critical + reachable + exploited-in-wild | Emergency: hours–days (compressed path) |
| Critical/high, not directly reachable | Next patch window, mitigations meanwhile (WAF rule, filter) |
| Medium/low | Scheduled with releases; batch dependency bumps monthly |
Record the triage decision (even "accepted risk, because…") — undocumented risk acceptance is just risk.
Keeping the backlog honest
- Dependency bumps ride every release by default; a quarterly "bump-everything" release prevents the big-bang upgrade cliff.
- Track mean-time-to-remediate per class; a rising trend is the early warning that patching lost priority.
- Pentest findings enter the same triage; retest closure evidence goes to the audit trail.
- The unfashionable truth: most AEM breaches in the wild exploit unpatched instances and exposed consoles, not zero-days — the boring disciplines on this page are the actual defence.