This report <https://www.theregister.com/2021/04/06/sap_patch_attacks/> from software company SAP and security company Onapsis says that, from the moment SAP releases a security patch for its products, it only takes about 72 hours until bad hats have reverse-engineered the patch, figured out the security vulnerability it is meant to fix, and started releasing an exploit to take advantage of that vulnerability. Actually, proof-of-concept code can appear quicker than that. Which leaves customers in a dilemma: continue running patches through their regular QA procedures before deployment, widening the window for exploits to get in, or forego those QA procedures and deploy patches quickly to plug holes while risking breaking production systems? And of course this wouldn’t be unique to SAP ...