You’ve published a vulnerability and patch-management policy.

But keeping the software you ship compliant is never-ending work that most engineers hate doing - and it’s getting harder by the day.

  • A typical application carries ~911 third-party dependencies1
  • Newly-disclosed CVEs are up 263% since 20202
  • And AI is compounding it from three sides at once:
    • it finds vulnerabilities faster than manual research ever could3
    • LLM coding tools increase the amount of code being shipped
    • attackers use it to shrink the window between disclosure and exploit

Is staying compliant stealing time from shipping features?

That’s where we come in. We take it off your engineers - matching your practice to your published policy, keeping it true, and handing you the evidence to defend it. Specialists doing daily what your team would rather not - so they stay on the features only they can build.

How we work with you

Get compliant - and stay that way.

See where you stand, close the gap, then keep it closed.

01 · Policy Gap Scorecard

Does your real practice match the patch policy you’ve published?

A short, sharp review of how your real practice compares to the SLAs you’ve committed to - in ISO 27001, SOC 2, or a customer contract.

  • A structured read against your published policy
  • The gaps ranked, with your top priorities
  • A readout for your team or board
02 · Software Release Automation

Close the gap before your next audit or enterprise deal.

A fixed-fee project against a real deadline. We don’t just remediate - we build the machinery that keeps you compliant after we leave.

  • An SBOM baseline, with automation that pulls in upstream fixes as they land
  • Human-signed VEX - which findings matter, with the evidence to defend each call
  • A hardened, minimal base image where it fits your stack
  • Release automation that re-checks every build, plus reporting that shows you’re meeting your policy SLAs
03 · Stay-Compliant Retainer

Keep meeting your policy - without hiring a full-time supply-chain engineer.

Ongoing cover for live DORA, CRA, or customer obligations. Cheaper and more continuous than a full-time hire; more reliable than a once-a-year scramble.

  • Daily SBOM-vs-CVE analysis, whatever your release cadence
  • Ongoing triage and remediation support
  • Current, audit-ready evidence, ready to hand over
  • Policy-SLA reporting (for example: criticals inside 7 days, highs inside 30)

Coverage and SLA depth scale to your estate.

Who I am

Twenty-five years in software engineering, DevOps, SRE, and release engineering at Pivotal, VMware, Shopify, and Mechanical Orchard. I work specifically on the supply-chain side: reproducible builds, SBOM generation, dependency provenance, CVE remediation pipelines. Lately I’ve been exploring where agent-assisted workflows can make the repetitive parts of SBOM analysis, vulnerability triage, and remediation evidence cheaper and faster: the patient, tedious work that usually makes engineers want to quit. Based in Dublin.

Book a call

Pick a slot and let’s talk about how Wellmaintained can remove the toil of adhering to your policy from your engineering teams.

Scheduler not loading, or none of the slots work? Email me directly: [email protected]

References
  1. Black Duck Software. 2025 Open Source Security and Risk Analysis (OSSRA) Report. 2025. Sample: 965 commercial codebases across 16 industries, calendar year 2024. blackduck.com/…/rep-ossra.pdf
  2. National Institute of Standards and Technology (NIST). National Vulnerability Database - CVE submission statistics, 2020 - 2025. nvd.nist.gov/general/nvd-dashboard
  3. Anthropic. Project Glass Wing - Claude Mythos vulnerability-discovery research announcement. 2026-04-07. Named zero-days include a 27-year-old OpenBSD TCP flaw, a 16-year-old FFmpeg codec flaw, and CVE-2026-4747 (FreeBSD NFS RCE). anthropic.com/glasswing
  4. European Union. Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA). Article 19 reporting cadence: initial notification within 4 hours of classification; intermediate report within 72 hours; final report within one month. eur-lex.europa.eu/eli/reg/2022/2554/oj
  5. European Union. Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act). Requires vendors to declare vulnerabilities, provide security updates for the product's support period, and notify ENISA of actively exploited vulnerabilities within 24 hours. eur-lex.europa.eu/eli/reg/2024/2847/oj