Example Patch Policy (FreeBSD)

Example Patch PolicyFreeBSD

Security Patching:

Portaudit daily

Security critical infos should be immediately forwarded (i.e. to your database)

Define services / ports that are "local" and "remote"

For remote ports

If a configuration fix is available apply that immediately

If a configuration fix is not available, do a recursive portupgrade for the port.

If the system is critical and no fix is available and kiddies are exploiting it, prepare to switch to a different port (i.e. temporarly switch to lighty if apache is bugged)

Consider having a working minimal config in place, just in case.

For local ports

If it concerns web-related, exploitable stuff (php, graphics libraries like libjpeg) immediately update recursively

Everything else fix after reasonable time

Standard Patching

Save time

  • Keep downtimes short by automatically downloading and building in advance!
  • Run automatic backups before your update
  • Use failover servers or binary updates
Scarce downtime?

Update Base 2 times a year

Update Ports 6 times a year - stop service, apply new packages, start service

Otherwise 

Update Base 4 times a year

Update Ports 6 times a year.

Always: Update Ports providing important services if any of them falls more than 6 minor versions behind the stable upstream version.