A typical enterprise vulnerability report surfaces hundreds of findings per scan cycle, all ranked by the Common Vulnerability Scoring System (CVSS). The problem: CVSS describes the theoretical characteristics of a Common Vulnerabilities and Exposures (CVE), not whether it matters in your environment. A Critical vulnerability in an internal-only utility library is not the same risk as a Medium vulnerability in a public-facing authentication service, but they're treated identically until someone manually triages each one. That triage work doesn't scale. GitLab vulnerability management policies can now automatically override those default CVSS severity levels based on conditions you define, so your vulnerability report reflects your actual risk model instead of a generic one. How severity override policies work A severity override policy is a type of vulnerability management policy that adjusts vulnerability severity levels automatically on every default-branch pipeline.…