We had a fairly mature DevSecOps practice in the previous company I worked for. We had static and dynamic AppSec testing, software composition analysis and container security products integrated into the build and deployment pipelines.<p>We broke these pipelines when high severity vulnerabilities were identified, but the inability to release hot fixes to the product impeded the development velocity.<p>I decided to develop an aging threshold mechanism that allows developers to exclude specific vulnerabilities in a text file, but the caveat was that the pipeline always checked if the vulnerability is aged over 2 weeks. If it was the case, no more exceptions were allowed to deploy.<p>On top of it, we had a policy to re-deploy the containers every week, so when a deployment failed, it notified the relevant teams that the deployment failed (we didn't have it in the build process though).<p>Which portions of these practices are adopted in your companies?