Monitor upstream releases / security advisories
We deploy some application directly from upstream VCS, which means the underlying distribution does not provide us with (security) updates: we have to do it ourselve.
=> It's 100% manual/human for now. Perhaps we could consume events from release-monitoring.org? What of CVEs?