alt Hacker NewsVery early in my career I'd take these vulnerability reports as a personal challenge and spent my day/evening proving it isn't actually exploitable in our environment. And I was often totally correct, it wasn't.
But... I spent a bunch of hours on that. For each one.
These days we just fix every reported vulnerable library, turns out that is far less work. And at some point we'd upgrade anyway so might as well.
Only if it causes problems (incompatible, regressions) then we look at it and analyze exploitability and make judgement calls. Over the last several years we've only had to do that for about 0.12% of the vulnerabilities we've handled.
That’s basically my experience as well. Just upgrading is much easier and cheaper.
Of course with latest supply chain failures we don’t update right away or automatically.
If it is RCE in a component that is exposed then of course we do it ASAP. But those are super rare.