Scaling vulnerability management across thousands of services and more than 150 million findings

GitHub has developed an agile vulnerability management program to protect its vast infrastructure and over 100 million developers' data worldwide. This program, viewed as an intelligence function, moves beyond traditional patch management by assessing potential threats and their business impacts, enabling rapid decision-making to mitigate risks. The security team faced challenges due to operational overhead and inconsistent user experiences caused by previously bespoke processes. To address these, GitHub built a custom tool called Security Findings, which centralizes and normalizes data from various sources, reduces noise, and maintains solution agility. The tool offers a single source of truth for security findings, enhances intelligence through data mining, and provides a user-friendly experience with role-based access controls and integration into existing developer workflows, like GitHub. Security exceptions are also managed within the platform, using Slack for real-time alerts and pull requests for approvals. This comprehensive approach has processed over 150 million findings, enhancing GitHub's ability to swiftly address security risks and allowing security teams to focus on critical tasks.