Security patches — frequency, urgency on each edition?

Both editions get the same patches; the difference is delivery channel and timing.

• Cadence: Adobe ships ~4 quarterly Magento Security Patches per year, plus emergency hotfixes for critical CVEs (typically 2–4 of those per year).
• AC delivery: patches available via Adobe support portal with pre-disclosure window (~1–2 weeks before public CVE). AC customers can patch ahead of public disclosure.
• OS delivery: patches drop to GitHub / Composer simultaneously with public CVE disclosure. No pre-disclosure window.
• Application urgency: high. Magento has been actively exploited (Magecart skimmer attacks 2021–2024). Stores 30+ days behind on patches show up in scanning. Mage Report / Sansec / Sucuri all monitor patch status publicly.

For stores in regulated industries with mandatory patch-window SLAs, AC’s pre-disclosure + direct delivery is genuinely load-bearing. For typical D2C stores, OS + a patching retainer ($200–500/mo for an agency to apply patches within 7 days) covers the operational equivalent.