Impact
At least one internal user identified that vulnerability notifications were not being received. The issue started on UTC-5 25-09-11 18:56 and was proactively discovered 23.2 hours (TTD) later by a staff member, who noticed that the automatic notifications and ticket creation for new vulnerabilities had stopped working in Azure DevOps, Webhooks, GitLab, and Google Chat. Up to 134 organizations could have been affected, although no client reports were received. The problem was resolved in 24.8 days (TTF), resulting in a total window of exposure of 25.7 days (WOE) [1].
Cause
The system was checking for a specific data field that many vulnerabilities did not include. Because of this, if even one vulnerability didn’t have that field, the entire notification process stopped, and no alerts were sent.
Solution
The process to utilize a data field that is always present was modified. Notifications are sent even if some vulnerabilities are missing optional data [2].
Conclusion
The notification system is now working again for all integrations, ensuring that users are properly alerted about new vulnerabilities. Additional safeguards are being evaluated, including new validation steps, to ensure this type of issue does not occur again in the future. INCOMPLETE_PERSPECTIVE < MISSING_ALERT