The Vulnerability Management Challenge [CVEs]: Insights from Getup Customers

Conversations with our clients reveal a growing frustration: container images with a high number of known vulnerabilities (CVEs), even when official and up-to-date versions are used. The volume is so high that it makes any initiative to manage or mitigate the discovered risks almost impossible.

Over the past year, our work with Zora has helped expose the scale of the problem. It has also made it clear that having visibility is not enough. The difficulties in remediating vulnerabilities are countless, while the number continues to grow. This scenario ends up reinforcing the perception that security management is something distant or almost utopian, exposing companies to even greater risks.

Some of the recurring challenges in our conversations:

• Too many vulnerabilities, even in official images. In our day-to-day work providing Kubernetes support, we see this firsthand. Popular images frequently carry hundreds of CVEs. While writing this article, we checked a widely used Node image and found 1246 vulnerabilities. 

  
  

node:latest (debian 12.9)
Total: 1246 (UNKNOWN: 6, LOW: 640, MEDIUM: 491, HIGH: 103, CRITICAL: 6)

• Prioritization helps, but it doesn't solve the problem. Tools like Prisma Cloud and Kubescape classify vulnerabilities and show which ones to address first, but this doesn't reduce the quantity of CVEs that teams need to deal with. Even with prioritization, the backlog remains huge.

• Developers are forced to fix vulnerabilities on top of their core tasks. Shift-left approaches help, but with a high number of flaws to resolve, they end up delaying development instead of strengthening security. Another phenomenon we found here was approving a deploy even with a critical vulnerability because a certain feature had to be delivered.

  
  

• Lack of a clear owner. In most companies, there is no single team responsible for CVE management. Security, DevOps, DevSecOps, and infrastructure share this role, but without a defined leadership, leaving many vulnerabilities unhandled.

This reality led us to rethink how CVE management should work.

Eliminating CVEs at the Source: Our approach to vulnerability management

Instead of creating more tools to detect vulnerabilities, we chose to eliminate them at the source. Our solution has been reducing the volume of CVEs by 90%, decreasing the overhead on teams and changing the perception of security and vulnerability management.

First company trials confirm this impact; they are seeing a drastic reduction in the number of CVEs. Less time spent on sorting and fixing CVEs means fewer delays, faster deliveries, and security that does not interfere with productivity.

We leveraged the lessons learned from Zora and direct feedback from our customers to ensure this solution addresses not only the technical problem but also the operational difficulties that make vulnerability management seem like a waste of time and resources.

Core Principles of Our Approach

• Noise Reduction: Instead of overwhelming teams with alerts, we eliminate vulnerabilities before they reach your environment.

• Simplified Remediation: CVE management is a repetitive and constant job. Our solution automates updates and fixes, reducing manual effort and ensuring flaws are resolved without disrupting development.

• Proactive Security: We prevent vulnerabilities from reaching production, rather than reacting after they are already in the environment. This reduces risks, keeps workflows organized, and avoids unnecessary disruptions.

Challenge Accepted? Join Us

We are not sharing all the details just yet, but at Getup, we took on the challenge of CVE management and created a solution based on the real pain points we heard from teams like yours. If CVE management is consuming your team's time, we want to hear your feedback. If your company doesn't have a defined process for CVE management yet, we also want to hear from you and help you take this important step. 

We have launched an initial version of our solution, which is running with selected companies. Now, we are expanding access through our Early Access Program.

In the program, you get:

• Access to the solution before the official launch.

• Influence on the product with feedback based on your usage.

• Direct support from our engineering team. 

If CVE management in container images is an issue for your team, [sign up here] to join the program and see how we are making security simpler and more effective.