■Collection of Vulnerability Information
We have implemented a system to detect CVE information for the libraries we use, and we apply patches as needed.
We make decisions based on the CVE and its impact on our services. For critical vulnerabilities, we respond as quickly as possible, while others are addressed sequentially.
Please note that we do not generally disclose the information sources for CVEs we use.
■Patch Application Process
When applying patches, we first test them in a test environment and confirm there are no issues before applying them to the production environment.
■Management of Work Records
For libraries used in application code, we manage patch application history on GitHub. For OS library updates, we record AWS machine image update operations as logs.