--- title: "Five Months to Patch, One Day to Weaponize: CVE Remediation Has a Math Problem - Blog - Coder" description: "DaShaun Carter's upgrade demo always lands at zero CVEs. Two weeks ago it stopped at four, and what that means should worry every enterprise." image: "https://www.datocms-assets.com/19109/1782244428-blog_five-months-to-patch-one-day-to-weaponize.png?fit=clip&fm=webp&w=800" canonical: "https://coder.com/blog/cve-remediation-dashaun-carter" --- Jun 23 20263 min read # Five Months to Patch, One Day to Weaponize: CVE Remediation Has a Math Problem [Nicky Pike](https://coder.com/blog/author/Nicky) Share this article DaShaun Carter has run the same live demo for years. He upgrades a Spring project in front of an audience and watches the CVE count drop from 290-something to zero. He's done it so many times that he's caught brand-new Spring Boot releases mid-demo, before the announcement post even went live. The patch ships before the blog does, and his automation finds it first. But a couple weeks before we recorded an episode for the [\[Dev\]olution Podcast](https://www.youtube.com/@Devolution-Podcast), the demo stopped at four. First time that ever happened. And the four weren't Spring's. They were days-old vulnerabilities in third-party libraries riding along in the dependency tree, the part of your software nobody's watching closely enough. Here's the math that should bother you. [Bitsight](https://www.bitsight.com/press-releases/bitsight-reveals-more-60-percent-known-exploited-vulnerabilities-remain-unmitigated) pegs remediation for a critical vulnerability at about four and a half months on average, and known-exploited vulnerabilities overall closer to six. Pick whichever number you like; it's measured in months. Meanwhile, [VulnCheck](https://www.vulncheck.com/blog/exploitation-trends-q1-2025) found that 28.3% of exploited vulnerabilities got weaponized within 24 hours of disclosure. Months on defense. A day on offense. That math doesn't math. And if your plan still leans on severity scores, DaShaun has bad news there too. Attackers are chaining a CVSS 1 with a CVSS 3, splitting the payload across both, and walking right past tooling that only watches for the scary nines. "It's just a three, we're not at risk" stopped being a sentence you get to say out loud. Full disclosure: I owe DaShaun a personal debt, so I take his patching opinions seriously. Back when Nick Kuhn and I were busy planning Cloud Foundry Weekly to death, DaShaun opened his laptop and booked our first live episode for the following week. "Just jump in, you'll figure it out." He was right. He's been living his own advice since around 2000, when a server he forgot to patch got hacked back in his web-hosting days. He's been obsessive ever since. He calls it the N-minus-zero life: latest version of everything, always, no exceptions. So what's his fix for the five-month problem? That's the back half of the episode, and it's worth the watch precisely because it isn't "patch faster," and it isn't "turn an AI agent loose on your repos" either. DaShaun runs agents that never write a single patch. His argument: the second you let AI freelance a fix per repo, you lose determinism, and determinism is the only thing that survives contact with a thousand repositories. ([He lays out the recipe model around 33:59.](https://youtu.be/kqFP-9A4Vb8?t=2039)) Also on the table: why a guy who spent years making fun of banks for keeping code off developer laptops now refuses to bank anywhere that doesn't, and what a 104-node Raspberry Pi cluster has to do with your enterprise AI budget. [**Watch the full episode on YouTube**](https://youtu.be/kqFP-9A4Vb8) If continuous patching, six-figure agent bills, and a grown man touring the country with a Raspberry Pi army sound like your kind of conversation, subscribe. New episode every two weeks. [![Nicky Pike](https://coder.com/_next/image?url=https%3A%2F%2Fwww.datocms-assets.com%2F19109%2F1748473544-nicky-pike-linkedin-image.jpeg%3Ffit%3Dcrop%26fm%3Djpg%26h%3D100%26w%3D100&w=2048&q=75)](https://coder.com/blog/author/Nicky) [Nicky Pike](https://coder.com/blog/author/Nicky) Field CTO at Coder and host of the \[Dev\]olution podcast Nicky Pike spent 20+ years making developers' lives easier at some of tech's biggest names before joining Coder. From launching Xbox Live to rebuilding how CVS Health develops software, he's helped shape developer productivity and team experiences at Microsoft, Dell, and VMware/Broadcom Tanzu. A respected voice in the Cloud Foundry community and regular conference speaker, Nicky has a talent for making cloud-native development and platform engineering actually make sense to humans. [Learn more about Nicky Pike](https://coder.com/blog/author/Nicky) ### Subscribe to our newsletter Want to stay up to date on all things Coder? Subscribe to our monthly newsletter for the latest articles, workshops, events, and announcements.