[EDI] About exposure to vulnerabilities in your code and in dependencies (#59795)

sophietheking · Copilot · isaacmbrown · web-flow · commit d7ea211e5f6a · 2026-03-02T15:55:54.000Z
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
Co-authored-by: Isaac Brown &lt;101839405+isaacmbrown@users.noreply.github.com&gt;
diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/about-your-exposure-to-vulnerabilities-in-your-code-and-in-dependencies.md b/content/code-security/concepts/vulnerability-reporting-and-management/about-your-exposure-to-vulnerabilities-in-your-code-and-in-dependencies.md
@@ -1,7 +1,7 @@
 ---
 title: About exposure to vulnerabilities in your code and in dependencies
 shortTitle: Vulnerability exposure
-intro: Understanding your organization’s exposure to vulnerabilities in first-party code and in all dependencies is essential for enabling you to efficiently assess, prioritize, and remediate vulnerabilities, reducing the likelihood of security breaches.
+intro: Understand how vulnerabilities in your own code and in third-party dependencies contribute to your organization’s overall security exposure, and how to measure and reduce that risk.
 allowTitleToDifferFromFilename: true
 product: '{% data reusables.gated-features.ghas-billing %}'
 versions:
@@ -17,9 +17,9 @@ redirect_from:
   - /code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/about-your-exposure-to-vulnerable-dependencies
 ---
 
-## About exposure to vulnerable code
+## Risks of unaddressed vulnerabilities 
 
-Your organization has exposure to vulnerabilities in both the code you write and maintain, and in the open-source or third-party dependencies your code uses. Assessing your exposure to vulnerable dependencies is crucial if you want to prevent:
+Your organization has exposure to vulnerabilities in both the code you write and maintain, and in the open source or third-party dependencies your code uses. Assessing your exposure to vulnerabilities is crucial if you want to prevent:
 
 * **Unplanned downtime and operational disruption**. Exploitation of vulnerabilities can result in application outages, degraded service quality, or cascading failures in critical systems, disrupting your business operations.
 
@@ -31,7 +31,7 @@ Your organization has exposure to vulnerabilities in both the code you write and
 
 * **Regulatory and licensing issues**. Many regulations and industry standards require organizations to proactively address known vulnerabilities in their software supply chain. Failing to remediate vulnerable dependencies can result in non-compliance, audits, legal penalties, or breaches of open source license obligations.
 
-Regularly assessing your exposure to vulnerabilities is good practice to help identify risks early, implement effective remediation strategies, and maintain resilient, trustworthy software.
+Regularly assessing vulnerability exposure helps you identify risks early and prioritize remediation.
 
 ## Ways to monitor your repositories for vulnerable code
 
@@ -41,17 +41,19 @@ Regularly assessing your exposure to vulnerabilities is good practice to help id
 
 {% data variables.product.github %} provides a comprehensive set of {% data variables.product.prodname_dependabot %} metrics to help you monitor, prioritize, and remediate these risks across all repositories in your organization. See [AUTOTITLE](/code-security/concepts/supply-chain-security/about-metrics-for-dependabot-alerts).
 
-## Key tasks for AppSec managers
+## Reducing organizational vulnerability exposure
 
-### 1. Monitor vulnerability metrics for dependencies
+Reducing organizational vulnerability exposure requires ongoing visibility into risk, remediation progress, and policy enforcement across repositories. {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} metrics provide this visibility. Use the following best practices to monitor and reduce your organization's vulnerability exposure:
+
+### Monitor vulnerability metrics for dependencies
 
 Use the metrics overview for {% data variables.product.prodname_dependabot %} to gain visibility into the current state of your organization's dependency vulnerabilities. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts).
 
 * **Alert prioritization:** Review the number of open {% data variables.product.prodname_dependabot_alerts %} and use filters such as CVSS severity, EPSS exploit likelihood, patch availability, and whether a vulnerable dependency is actually used in deployed artifacts. {% data reusables.security-overview.dependabot-filters-link %}
 * **Repository-level breakdown:** Identify which repositories have the highest number of critical or exploitable vulnerabilities.
 * **Remediation tracking:** Track the number and percentage of alerts fixed over time to measure the effectiveness of your vulnerability management program.
 
-### 2. Monitor introduction of new {% data variables.product.prodname_code_scanning %} alerts
+### Monitor introduction of new {% data variables.product.prodname_code_scanning %} alerts
 
 Use the alert view for {% data variables.product.prodname_code_scanning %} to gain visibility into remediation activity in your organization's pull requests. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts).
 
@@ -60,7 +62,7 @@ Use the alert view for {% data variables.product.prodname_code_scanning %} to ga
 * **Repository-level breakdown:** Identify which repositories have the highest number of alerts detected in pull requests but still merged into the default branch.
 * **Remediation tracking:** Track the number and percentage of alerts fixed over time to measure the effectiveness of your vulnerability management program.
 
-### 3. Prioritize remediation efforts
+### Prioritize remediation efforts
 
 Focus on vulnerabilities that present the highest risk to your organization.
 
@@ -69,20 +71,20 @@ Focus on vulnerabilities that present the highest risk to your organization.
 * Encourage development teams to address vulnerabilities that are actually used in deployed artifacts through repository custom properties and using production context. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/alerts-in-production-code).{% endif %}{% ifversion security-campaigns %}
 * Create security campaigns to encourage and track the remediation of high priority {% data variables.product.prodname_code_scanning %} alerts. See [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns).{% endif %}
 
-### 4. Communicate risk and progress
+### Communicate risk and progress
 
 * Use the metrics pages to communicate key risk factors and remediation progress to stakeholders.
 * Provide regular updates on trends, such as the reduction in open critical vulnerabilities or improvements in remediation rates.
 * Highlight repositories or teams that require additional support or attention.
 
-### 5. Establish and enforce policies
+### Establish and enforce policies
 
 * Set an organization-wide security configuration that enables {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} on all existing and new repositories. See [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale).
 * Enable dependency review to comment on pull requests in all repositories.
 * Create an organization-wide ruleset to protect the default branch and require critical {% data variables.product.prodname_code_scanning %} alerts to be fixed before a pull request can be merged. See [AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization).
 * Work with repository administrators to enable automated security updates where possible. See [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).
 
-### 6. Assess the impact of alerts
+### Assess the impact of alerts
 
 * Regularly review how {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} alerts are helping to block security vulnerabilities from entering your codebase.
 * Use historical data to demonstrate the value of proactive dependency management.
