Code Room
On-callMediumoc-g600
Subject Security dependency cveLevel Mid–Senior~35 minCommon in Security · Code quality & review interviewsIndustries Software development, Technology

Question

At 14:00 a critical CVE (CVSS 9.8, unauthenticated RCE) is published against a popular serialization library. Your dependency dashboard / SBOM scan flags that 14 of your services pin a vulnerable version of it, including the public-facing API gateway and the payments service. There's a proof-of-concept exploit already circulating on social media. No incident yet — but the clock is running. You're the on-call engineer who caught the page. How do you triage, prioritize, and remediate?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.