Many organisations by principle only apply product updates that are explicitly marked as security fixes. I argue why this policy is not sufficient with examples on how general updates also have impact on #security

https://krvtz.net/posts/why-only-security-updates-approach-is-not-sufficient.html