CVE Scanning and Vulnerability Management

How Trustgrid Evaluates CVEs

Trustgrid continuously monitors CVE disclosures and evaluates each against the actual configuration, access controls, and mitigations present in the platform. Most CVEs flagged by automated scanners are not exploitable on Trustgrid nodes. Architectural controls, restricted network access, and a limited attack surface keep them out of reach.

When a CVE is genuinely exploitable in our environment, Trustgrid coordinates with affected customers to define mitigation steps and fast-tracks a release with the appropriate packages.

Package Updates and Release Cadence

Trustgrid nodes use curated mirrors of the Ubuntu package repositories. These mirrors are updated for major releases and, when necessary, for security-focused minor releases issued between majors. Routine bug-fix minor releases do not update the mirror.

Each release’s mirror date is published in the Release Notes. A node applies all security packages available as of that date the next time it runs its scheduled update.

To reduce reported vulnerabilities, update nodes to the latest release. The latest release always carries the most current mirror.

Scheduling node updates is the Customer’s responsibility, in accordance with their change management procedures.

Interpreting Agentless Scan Results

Agentless scanners infer installed package versions remotely and may not accurately reflect what is actually present on a device. Because Trustgrid nodes do not permit direct remote access, agentless scanning is the only method available to end users, so interpret scan results carefully.

If a scan reports a package version that predates the mirror date of the node’s current release, this is likely a reporting artifact. The system is patched. Refer to the release notes for the current mirror date before drawing conclusions from scan output.