惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
腾讯CDC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
L
LINUX DO - 热门话题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Project Zero
Project Zero
V
Vulnerabilities – Threatpost
Cisco Talos Blog
Cisco Talos Blog
P
Palo Alto Networks Blog
C
Cisco Blogs
A
Arctic Wolf
月光博客
月光博客
The GitHub Blog
The GitHub Blog
T
The Blog of Author Tim Ferriss
量子位
小众软件
小众软件
Latest news
Latest news
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Microsoft Security Blog
Microsoft Security Blog
T
The Exploit Database - CXSecurity.com
Security Latest
Security Latest
N
Netflix TechBlog - Medium
K
Kaspersky official blog
人人都是产品经理
人人都是产品经理
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园_首页
Y
Y Combinator Blog
P
Proofpoint News Feed
H
Hackread – Cybersecurity News, Data Breaches, AI and More
M
MIT News - Artificial intelligence
T
Threat Research - Cisco Blogs
S
Schneier on Security
D
Docker
Scott Helme
Scott Helme
MyScale Blog
MyScale Blog
Spread Privacy
Spread Privacy
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
GbyAI
GbyAI
有赞技术团队
有赞技术团队
Google DeepMind News
Google DeepMind News
The Hacker News
The Hacker News
H
Help Net Security
Simon Willison's Weblog
Simon Willison's Weblog
J
Java Code Geeks
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tenable Blog
B
Blog
Know Your Adversary
Know Your Adversary
IT之家
IT之家

The latest on supply chain security - The GitHub Blog

Inside the Advisory Database and what happens when vulnerability volume breaks records Securing the open source supply chain across GitHub A year of open source vulnerability trends: CVEs, advisories, and malware Investing in the people shaping open source and securing the future together Strengthening supply chain security: Preparing for the next malware campaign Top security researcher shares their bug bounty process How a top bug bounty researcher got their start in security Our plan for a more secure npm supply chain Safeguarding VS Code against prompt injections Understand your software’s supply chain with GitHub’s dependency graph
Cutting through the noise: How to prioritize Dependabot alerts
Andrea Griffiths · 2025-04-30 · via The latest on supply chain security - The GitHub Blog

Let’s be honest: that flood of security alerts in your inbox can feel completely overwhelming. We’ve been there too.

As a developer advocate and a product manager focused on security at GitHub, we’ve seen firsthand how overwhelming it can be to triage vulnerability alerts. Dependabot is fantastic at spotting vulnerabilities, but without a smart way to prioritize them, you might be burning time on minor issues or (worse) missing the critical ones buried in the pile.

So, we’ve combined our perspectives—one from the security trenches and one from the developer workflow side—to share how we use Exploit Prediction Scoring System (EPSS) scores and repository properties to transform the chaos into clarity and make informed prioritization decisions.

Understanding software supply chain security

If you’re building software today, you’re not just writing code—you’re assembling it from countless open source packages. In fact, 96% of modern applications are powered by open source software. With such widespread adoption, open source software has become a prime target for malicious actors looking to exploit vulnerabilities at scale.

Attackers continuously probe these projects for weaknesses, contributing to the thousands of Common Vulnerabilities and Exposures (CVEs) reported each year. But not all vulnerabilities carry the same level of risk. The key question becomes not just how to address vulnerabilities, but how to intelligently prioritize them based on your specific application architecture, deployment context, and business needs.

Understanding EPSS: probability of exploitation with severity if it happens

When it comes to prioritization, many teams still rely solely on severity scores like the Common Vulnerability Scoring System (CVSS). But not all “critical” vulnerabilities are equally likely to be exploited. That’s where EPSS comes in—it tells you the probability that a vulnerability will actually be exploited in the wild within the next 30 days.

Think of it this way: CVSS tells you how bad the damage could be if someone broke into your house, while EPSS tells you how likely it is that someone is actually going to try. Both pieces of information are crucial! This approach allows you to focus resources effectively.

As security pro Daniel Miessler points out in Efficient Security Principle, “The security baseline of an offering or system faces continuous downward pressure from customer excitement about, or reliance on, the offering in question.”

Translation? We’re always balancing security with usability, and we need to be smart about where we focus our limited time and energy. EPSS helps us spot the vulnerabilities with a higher likelihood of exploitation, allowing us to fix the most pressing risks first.

Smart prioritization steps

1. Combine EPSS with CVSS

One approach is to look at both likelihood (EPSS) and potential impact (CVSS) together. It’s like comparing weather forecasts—you care about both the chance of rain and how severe the storm might be.

For example, when prioritizing what to fix first, a vulnerability with:

  • EPSS: 85% (highly likelihood of exploitation)
  • CVSS: 9.8 (critical severity)

…should almost always take priority over one with:

  • EPSS: 0.5% (much less likely to be exploited)
  • CVSS: 9.0 (critical severity)

Despite both having red-alert CVSS ratings, the first vulnerability is the one keeping us up at night.

2. Leverage repository properties for context-aware prioritization

Not all code is created equal when it comes to security risk. Ask yourself:

  • Is this repo public or private? (Public repositories expose vulnerabilities to potential attackers)
  • Does it handle sensitive data like customer info or payments?
  • How often do you deploy? (Frequent deployments face tighter remediation times)

One way to provide context-aware prioritization systematically is with custom repository properties, which allow you to add contextual information about your repositories with information such as compliance frameworks, data sensitivity, or project details. By applying these custom properties to your repositories, you create a structured classification system that helps you identify the “repos that matter,” so you can prioritize Dependabot alerts for your production code rather than getting distracted by your totally-not-a-priority test-vulnerabilities-local repo.

3. Establish clear response Service Level Agreements (SLAs) based on risk levels

Once you’ve done your homework on both the vulnerability characteristics and your repository context in your organization, you can establish clear timelines for responses that make sense for your organization resources and risk tolerance.

Let’s see how this works in real life: Here’s an example risk matrix that combines both EPSS (likelihood of exploitation) and CVSS (severity of impact).

EPSS ↓ / CVSS → Low Medium High
Low ✅ When convenient ⏳ Next sprint ⚠️ Fix Soon
Medium ⏳ Next sprint ⚠️ Fix soon 🔥 Fix soon
High ⚠️ Fix Soon 🔥 Fix soon 🚨 Fix first

Say you get an alert about a vulnerability in your payment processing library that has both a high EPSS score and high CVSS rating. Red alert! Looking at our matrix, that’s a “Fix first” situation. You’ll probably drop what you’re doing, and put in some quick mitigations while the team works on a proper fix.

But what about that low-risk vulnerability in some testing utility that nobody even uses in production? Low EPSS, low CVSS… that can probably wait until “when convenient” within the next few weeks. No need to sound the alarm or pull developers off important feature work.

This kind of prioritization just makes sense. Applying the same urgency to every single vulnerability just leads to alert fatigue and wasted resources, and having clear guidelines helps your team know where to focus first.

Integration with enterprise governance

For enterprise organizations, GitHub’s auto-triage rules help provide consistent management of security alerts at scale across multiple teams and repositories.

Auto-triage rules allow you to create custom criteria for automatically handling alerts based on factors like severity, EPSS, scope, package name, CVE, ecosystem, and manifest location. You can create your own custom rules to control how Dependabot auto-dismisses and reopens alerts, so you can focus on the alerts that matter.

These rules are particularly powerful because they:

  • Apply to both existing and future alerts.
  • Allow for proactive filtering of false positives.
  • Enable “snooze until patch” functionality for vulnerabilities without a fix available.
  • Provide visibility into automated decisions through the auto-dismiss alert resolution.

GitHub-curated presets like auto-dismissal of false positives are free for everyone and all repositories, while custom auto-triage rules are available for free on public repositories and as part of GitHub Advanced Security for private repositories.

The real-world impact of smart prioritization

When teams get prioritization right, organizations can experience significant improvements in security management. Research firmly supports this approach: The comprehensive Cyentia EPSS study found teams could achieve 87% coverage of exploited vulnerabilities by focusing on just 10% of them, dramatically reducing necessary remediation efforts by 83% compared to traditional CVSS-based approaches. This isn’t just theoretical, it translates to real-world efficiency gains.

This reduction is not just about numbers. When security teams provide clear reasoning behind prioritization decisions, developers gain a better understanding of security requirements. This transparency builds trust between teams, potentially leading to more efficient resolution processes and improved collaboration between security and development teams.

The most successful security teams pair smart automation with human judgment and transparent communication. This shift from alert overload to smart filtering lets teams focus on what truly matters, turning security from a constant headache into a manageable, strategic advantage.

Getting started

Ready to tame that flood of alerts? Here’s how to begin:

  • Enable Dependabot security updates: If you haven’t already, turn on Dependabot alerts and automatic security updates in your repository settings. This is your first line of defense!
  • Set up auto-triage rules: Create custom rules based on severity, scope, package name, and other criteria to automatically handle low-priority alerts. Auto-triage rules are a powerful tool to help you reduce false positives and alert fatigue substantially, while better managing your alerts at scale.

  • Establish clear prioritization criteria: Define what makes a vulnerability critical for your specific projects. Develop a clear matrix for identifying critical issues, considering factors like impact assessment, system criticality, and exploit likelihood.

  • Consult your remediation workflow for priority alerts: Verify the vulnerability’s authenticity and develop a quick mitigation strategy based on your organization’s risk response matrix.

By implementing these smart prioritization strategies, you’ll help focus your team’s energy where it matters most: keeping your code secure and your customers protected. No more security alert overload, just focused, effective prioritization.

Want to streamline security alert management for your organization? Start using Dependabot for free or unlock advanced prioritization with GitHub Code Security today.

Written by

Andrea Griffiths

Andrea is a Senior Developer Advocate at GitHub with over a decade of experience in developer tools. She combines technical depth with a mission to make advanced technologies more accessible. After transitioning from Army service and construction management to software development, she brings a unique perspective to bridging complex engineering concepts with practical implementation. She lives in Florida with her Welsh partner, two sons, and two dogs, where she continues to drive innovation and support open source through GitHub's global initiatives. Find her online @acolombiadev.

Carlin Cherry

Carlin is a Product Manager at GitHub working in GitHub Advanced Security, with a focus on Dependabot. Her background in software engineering and data science informs her data-driven approach to product management. She lives in Washington with her partner and their dog, Cookie, and spends her free time cycling and playing competitive board games.

Explore more from GitHub

Docs

Docs

Everything you need to master GitHub, all in one place.

Go to Docs

GitHub

GitHub

Build what’s next on GitHub, the place for anyone from anywhere to build anything.

Start building

Customer stories

Customer stories

Meet the companies and engineering teams that build with GitHub.

Learn more

Enterprise content

Enterprise content

Executive insights, curated just for you

Get started