Skip to content

Put FedRAMP vulns in the "Open to GitLab" category

Nick Malcolm requested to merge master-patch-4b9a into master

Why is this change being made?

Following up on a Slack conversation (internal only): https://gitlab.slack.com/archives/C0110E0NMT9/p1679923485846709?thread_ts=1679912071.709759&cid=C0110E0NMT9

By default, patched vulnerabilities are typically made public after 30 days. That's because "our position is that all information and activities produced by the security team should be considered "Public by Default" unless defined below...".

By explicitly putting FedRAMP vulnerabilities in the "Open to GitLab" exclusions category, we are transparent that we won't be transparent 😆

Existing handbook comments on disclosure

At GitLab we value being as transparent as possible, even when it costs. Part of this is making confidential GitLab issues about security vulnerabilities public 30 days after a patch.

https://about.gitlab.com/handbook/security/#process-for-disclosing-security-issues

All vulnerabilities will be made public via our issue tracker 30 days after releasing the fix. We try and redact all information considered sensitive (such as cookies, tokens, data details). The only time we will make an exception and not make a vulnerability public is when it contains sensitive data which we are unable to redact or remove from the report.

https://about.gitlab.com/security/disclosure/#vulnerability-disclosure

Author Checklist

  • Provided a concise title for this Merge Request (MR)
  • Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
  • Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
    • The when to get approval handbook section explains the workflow in more detail
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.

Merge request reports