Skip to content

Update security policy direction

Grant Hickman requested to merge g.hickman-oct-18-direction-page-update into master

Why is this change being made?

💡 Provide a detailed answer to the question on why this change is being proposed, in accordance with our value of Transparency.

As refinement of Improve how AppSec teams handle vulnerability m... (gitlab-org&11020) has taken some time, to identify the complex cross-functional use cases, and as the scope of the epic has grown, we plan to finish refining the epic in %16.6. We will then break it down into smaller epics, prioritize them, and then pull them back into the direction page.

In the interest of our timeline, priorities, and sensitivity of the compliance pipeline to security policy migration (and the desired compliance pipeline deprecation by %17.0), we will be elevating the priority of these features.

We will return to plans in Improve how AppSec teams handle vulnerability m... (gitlab-org&11020) once we've made more progress on the priorities above.

With the great work and refinement on Improve how AppSec teams handle vulnerability m... (gitlab-org&11020) this also helps us communicate the open gaps to customers and communicate our plans to address them. De-prioritization will mean we will continue to have some customer support issues arise here, but we can now highlight exactly what the gaps are and share timelines. We also have improved logging to identify when these issues arise.

Lastly, we've also identified dependencies from Threat Insights that, once completed, will help us complete the changes on our end, which also affects the prioritization here.

Author and Reviewer Checklist

Please verify the check list and ensure to tick them off before the MR is merged.

  • Provided a concise title for this Merge Request (MR)
  • Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
  • Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
    • The when to get approval handbook section explains the workflow in more detail
  • For transparency, share this MR with the audience that will be impacted.
    • Team: For changes that affect your direct team, share in your group Slack channel
    • Department: If the update affects your department, share the MR in your department Slack channel
    • Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR

Edited by Grant Hickman

Merge request reports

Loading