DevSecOps 'Bystander Effect' Leaves Critical Vulnerabilities Unpatched for Months
A growing ownership problem in software security means critical vulnerabilities often go unpatched because no individual or team feels clearly responsible for fixing them. When security alerts are broadcast to shared channels or generic dashboards, developers experiencing alert fatigue tend to assume someone else will act, a phenomenon researchers call the DevSecOps bystander effect. Veracode's 2025 research shows the average time to fix a security flaw has grown 47% since 2020, rising from 171 days to 252 days. Meanwhile, Mandiant's M-Trends 2026 report estimates attackers are exploiting vulnerabilities in roughly negative seven days on average, meaning exploits often arrive before patches do. Experts argue that fixing the crisis requires both cultural changes — such as clearer RACI frameworks and security champion programs — and technical solutions like automated vulnerability routing that assigns alerts directly to accountable code owners.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in