Failure in automated vulnerability notifications

Update timeline

1. identified Oct 10, 2025, 03:51 PM UTC

   Integrations such as GitLab, Azure DevOps, and Google Chat experienced issues where automated notifications for newly detected vulnerabilities were not delivered.

2. resolved Oct 10, 2025, 03:54 PM UTC

   The incident has been resolved, and automatic vulnerability notifications through the integrations are now working as expected.

3. postmortem Oct 10, 2025, 04:07 PM UTC

   **Impact** At least one internal user identified that vulnerability notifications were not being received. The issue started on UTC-5 25-09-11 18:56 and was proactively discovered 23.2 hours \(TTD\) later by a staff member, who noticed that the automatic notifications and ticket creation for new vulnerabilities had stopped working in Azure DevOps, Webhooks, GitLab, and Google Chat. Up to 134 organizations could have been affected, although no client reports were received. The problem was resolved in 24.8 days \(TTF\), resulting in a total window of exposure of 25.7 days \(WOE\) [\[1\]](https://gitlab.com/fluidattacks/universe/-/issues/17854). **Cause** The system was checking for a specific data field that many vulnerabilities did not include. Because of this, if even one vulnerability didn’t have that field, the entire notification process stopped, and no alerts were sent. **Solution** The process to utilize a data field that is always present was modified. Notifications are sent even if some vulnerabilities are missing optional data [\[2\]](https://gitlab.com/fluidattacks/universe/-/merge_requests/86117). **Conclusion** The notification system is now working again for all integrations, ensuring that users are properly alerted about new vulnerabilities. Additional safeguards are being evaluated, including new validation steps, to ensure this type of issue does not occur again in the future. **INCOMPLETE\_PERSPECTIVE < MISSING\_ALERT**