Add optional step to summarize CVSS council discussions on the canonical issue
Why is this change being made?
AppSec discussed how we can be more transparent about the CVSS scores we agree on during vulnerability triage and remediation. The discussion happened in private at https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/512+ (team members only).
One idea that seemed acceptable was to summarise the rationale for the CVSS score on the canonical issue. This helps teams understand the severity during remediation and, when the issue becomes public, it gives transparency to researchers and customers on how we reached a given score. This MR implements that idea.
Making the entire discussion transparent was decided to be a not ideal option. There is a lot of back and forth as we come to understand the issue. We often reference other confidential issues or vulnerabilities with SLAs longer than the issue at hand, which would prevent us from making it public until that other issue is public too. There was a concern about how team members might get hassled by the community for misunderstanding something along the way. For these reasons the potential costs outweighed the benefit of "transparency even when it costs".
Examples
Sometimes this already happens, when a comment is imported from HackerOne:
gitlab-org/gitlab#422142 (comment 1514719168)
Sometimes a researcher includes one in their report, which we may or may not agree with (and it would be great to say why):
gitlab-org/gitlab#422142 (comment 1514719168)
Author and Reviewer Checklist
Please verify the check list and ensure to tick them off before the MR is merged.
-
Provided a concise title for this Merge Request (MR) -
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what - Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
-
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI) - If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
Maintained bysection on the page being edited - If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
- The when to get approval handbook section explains the workflow in more detail
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
-
For transparency, share this MR with the audience that will be impacted. -
Team: For changes that affect your direct team, share in your group Slack channel -
Department: If the update affects your department, share the MR in your department Slack channel -
Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR - For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter
-