← Back to principles
Team
Security Never Waits
What this means in practice
Security maintenance is planned into regular work (not treated as ad-hoc). This includes keeping dependencies, infrastructure, and platforms up to date with security patches, and scheduling time for routine upgrades and vulnerability remediation.
When a critical vulnerability is identified, we take end-to-end ownership: we stop the track to coordinate the fix, and we also own the communication
Timely internal updates
Clear customer/stakeholder messaging (where applicable)
Documented status/next steps until the issue is resolved.
Coordination with other teams
Why this matters
Unpatched or poorly managed vulnerabilities create unacceptable risk. Treating security maintenance as planned work reduces the chance of incidents and makes delivery more predictable.
When we stop the track for critical vulnerabilities, we reduce time-to-mitigate and limit blast radius. Owning the communication as well as the fix ensures stakeholders get clear, timely updates, helps teams coordinate effectively, and supports customer trust and compliance expectations.
Practices that meet this principle
Vulnerability findings are triaged quickly with clear owners and SLAs.
Work is re-prioritised immediately for critical security issues (including critical vulnerabilities). We can stop the track and pause feature delivery when needed.
Security scanning of images - we can’t deploy infected images
Security scanning included in Pull requests - we can’t merge which adds risks
Agents independently suggest fixes that are not ignored
Documented process, everyone knows!. Over-communicate. How do we find out?
Validation
A project meets this principle when:
There is a visible, recurring plan for patching and security maintenance (capacity, cadence, ownership).
Critical/high vulnerabilities are addressed within agreed timeframes, with evidence (tickets/PRs/releases).
The team has an agreed “stop the track” trigger and escalation path for urgent security work, including critical vulnerabilities.