Draft: Update product development flow and associate security handbook page to align with recent development stage guidance

Why is this change being made?

This MR operationalizes security requirements for feature maturity stages following the Development Stages Support Policy update.

Problem: The Product Development Flow handbook contained multiple TODO placeholders for security requirements. Teams lacked operational guidance on security gates, exception processes, and approval authorities for moving features between maturity stages.

Solution:

1. Creates new Feature Maturity Security Gates handbook page with operational implementation guidance
2. Updates Product Development Flow to integrate security checkpoints throughout workflow and eliminates prev TODOs

---

Changes Summary

New: Feature Maturity Security Gates (/handbook/security/product-security/feature-maturity-security-gates/)

Internal operational handbook providing:

• Core evaluation framework (incident response test, severity mapping to maturity gates)
• Stage-specific requirements for Experimental→Beta and Beta→GA transitions
• Multi-tenant isolation requirements and Customer Zero (internal testing) guidance
• Exception process with approval authorities (VP for Exp→Beta, E-Group for Beta→GA)
• Operational guidance for Product, Engineering, and Security teams
• Capacity management, compliance considerations, and comprehensive FAQ

Updated: Product Development Flow

Integration throughout workflow:

• Added "Security Requirements by Maturity Stage" section at top (cross-references policy and operational guidance)
• Enhanced Solution Validation phase with security planning checkpoint
• Enhanced Plan phase with security readiness validation
• Clarified security review is blocking for GA with exception process guidance

Eliminated previous TODOs:

• Experiment features: Added security/operational requirements (opt-in, tenant isolation, telemetry, exception process)
• Beta features: Added security planning requirements (security release plan, audit logging plan)
• Limited Availability: New section with operational requirements (security release process, audit logging, runbooks)
• Generally Available: Complete requirements (security review, vulnerability management, platform availability, documentation, telemetry, scalability)
• Security exit criteria: New section defining requirements for maturity transitions

---

Key Principles

• Explicit opt-in: Pre-GA features disabled by default
• Tenant isolation: Multi-tenant features cannot allow opt-in users to create risk for others
• Incident response test: Features don't ship with risks requiring urgent post-GA patching
• Exception governance: VP or E-Group approval required for deviations

---

Related

Customer-facing policy: gitlab-org/gitlab!209126 (merged)

Author and Reviewer Checklist

Please verify the check list and ensure to tick them off before the MR is merged.

• Provided a concise title for this Merge Request (MR)
• Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
  • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
• Assign reviewers for this MR to the correct
  • The when to get approval handbook section explains when DRI approval is required
  • The who can approve handbook section explains how to identify the DRI
  • If the MR does not require DRI approval, consider asking someone on your team, such as your manager.
  • The approver may merge the MR. If they approve but don't merge, you can merge.
• For transparency, share this MR with the audience that will be impacted.
  • Team: For changes that affect your direct team, share in your group Slack channel
  • Department: If the update affects your department, share the MR in your department Slack channel
  • Division: If the update affects your division, share the MR in your division Slack channel
  • Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR
    • For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter

Commits

• Update 2 files

• /content/handbook/product-development/how-we-work/product-development-flow/_index.md
• /content/handbook/security/product-security/feature-maturity-security-gates.md

---