@@ -11,7 +11,7 @@ Information about SIRT responsibilities and incident ownership is available in t
## Incident Severity
Before engaging the SEOC, please review [our severity and priority levels](/handbook/security/security-operations/sirt/severity-matrix/) to ensure that the incident has been assigned the appropriate level of response.
Before engaging the SEOC, please review [our severity levels](/handbook/security/security-operations/sirt/severity-matrix/) to ensure that the incident has been assigned the appropriate level of response.
For phishing related issues, see the [phishing](#phishing) section below. For other non-urgent issues, see the [low severity issues](#low-severity-issues) section.
@@ -25,7 +25,7 @@ The following items are out of scope for SIRT and should be escalated to the res
## Low Severity Issues
For general Q&A, GitLab Security is available in the `#security` channel in GitLab Slack.
For general Q&A, GitLab Security is available in the `#security_help` channel in GitLab Slack.
For low severity, non-urgent issues, [SIRT](/handbook/security/security-operations/sirt/) can be reached by using the `@sirt-members` handle in Slack, `@sirt-oncall` to specifically request the Security Engineer On-call (SEOC) or by requesting the incident form link, using the `/security` slash command in Slack. (Note: this command does not work inside Slack threads)
@@ -43,15 +43,15 @@ If you have identified a security incident or you need immediate assistance from
-**Slack**: use the `/security` slash command
The Slack command triggers SIRT's Escalation Workflow. You will be sent a link to file a security incident using a Tines webform. This form asks questions about the incident that help the SIRT automatically determine *severity* and *priority*. Depending on which labels get assigned, the SEOC will be paged.
The Slack command triggers SIRT's Escalation Workflow. You will be sent a link to file a security incident using a Tines webform. This form asks questions about the incident that help the SIRT automatically determine the *severity*. You can optionally choose to send a page (Severity 1 & 2).
For more information on how the form is processed and labels are assigned, consult SIRT's [incident classification](/handbook/security/security-operations/sirt/severity-matrix/) methodology.
For more information on how the form is processed and labels are assigned, consult SIRT's [Security Incident Severity Matrix](/handbook/security/security-operations/sirt/severity-matrix/).
The workflow uses your answers to create a new issue and track the reported incident. Please provide as many details as possible when answering the open questions to aid the SEOC in their investigation of the incident. If you do not receive a link to the incident issue, please contact a SIRT engineer (see next paragraph).
The workflow uses your answers to create an investigation, where the SEOC will determine if it needs to be escalated into an incident. Please provide as many details as possible when answering the open questions to aid the SEOC in their investigation.
For small requests like an indication if something is a security issue, questions on ongoing incidents or SIRT FYIs, team members can use:
For small requests like an indication if something is a security issue, questions on ongoing incidents or SIRT FYIs, team members can use the Slack handle:
- @sirt-oncall
-`@sirt-oncall`
This tags the current on call engineer.
@@ -59,6 +59,4 @@ If the security incident prevents you from accessing Slack:
-**Email**: send an email with a brief description of the issue to `panic@gitlab.com`
The SEOC will engage in the relevant issue within the appropriate [SLA](/handbook/engineering/infrastructure-platforms/incident-management/on-call/#security-team-on-call-rotation). If the SLA is breached, the [Security Manager On-Call (SMOC)](/handbook/engineering/infrastructure-platforms/incident-management/on-call/#security-managers) will be paged. Paging the SEOC via email also creates a new issue to track the incident being reported. You may provide a detailed explanation of the incident directly in the issue.
If paged, the SEOC will typically respond within **15 minutes** and may have questions which require synchronous communication from the incident reporter. It is important when paging the SEOC that the incident reporter be prepared and available for this synchronous communication in the initial stage of the incident response.
