We should all be using dependency cooldowns

Been saying this for years!

All the security theatre!

False urgency is red flag when it comes to emails and sms.. I dont see why people don't see the same when it comes to dependency alerts.

The vast vast majority of alerts are totally useless, when it comes to your actual deployed system, unexploitable and irrelevant.

Rushing to update causes make-work, churn and loss of focus on the real.

Don't get me wrong, I love secure systems, but dependency theatre doesn't make it.

Very very occasionally, you'll get a high priority signal, and then yes act on it immediately. Your deployment systems should be designed so that this is just another release. No expedited short cuts, just another day.

Reducing dependencies, defense in depth, validation, type-safe, null-safe languages etc all good.. endless dependabot PRs with no understanding of the reason or impact, bad.

The issue with this model in the most general sense is that it is zero-sum, and at the limit it doesn't provide hardly any security.

I delay the use of updated software by a week, and anyone that doesn't takes the risk. Therefore I, the user of the cooldown, enjoys reduced risk at the expense of everyone not implementing a cooldown.

If everyone simply delays their updates, then there is nobody to suffer an attack which notifies users of the cooldown (in this case, everybody).

The blog post makes the argument that the vendors are incentivized to discover these attacks in this time, but that's an entirely different argument and if that were true, they would already be doing that.

In fact, auditing updates for vulnerabilities is the general solution. The whole appeal of the cooldowns is that you don't have to do that - the cost is that it's a zero-sum game reliant on the suffering of those less wise.