@@ -29,6 +29,7 @@ The following rotations are defined:
- If the merge request references a legitimate security issue
- If the referenced confidential issue has a `~security-fix-in-public` label, indicating it [has been approved by an AppSec team member to be fixed in public](/handbook/security/product-security/security-platforms-architecture/application-security/vulnerability-management#fixing-in-public), link to the comment granting approval or include a message in the AppSec Triage Dashboard issue denoting that the `~security-fix-in-public` label was added.
- Decide if it can be public anyway, and apply the `~security-fix-in-public` label retrospectively
- It is acceptable to fix a security issue in public if it is [behind a feature flag disabled by default.](/handbook/security/product-security/psirt/runbooks/hackerone-process/#triaging-features-behind-a-feature-flag)
- Otherwise contact SIRT and the merge request author to get the merge request removed.
- Use the `Urgent - SEOC should be paged right away` option if waiting up to 24 hours for a resolution would be too long.
- First responder to mentions of the following group aliases:
