Guidance for Support Engineers on 3rd party links
Request for comments
Need
In https://gitlab.slack.com/archives/CCBJYEWAW/p1675269407293479 (Expires 2023-02-01 + 90 days) we discovered a conflict in our Statement of Support:
- https://about.gitlab.com/support/general-policies/#please-dont-send-encrypted-messages says "Support Engineers won't click 3rd party links to retrieve ticket body text"
- https://about.gitlab.com/support/providing-large-files/#file-sharing-services says "... but we will if you're sharing a file with us"
While not in direct conflict, it seems inconsistent to be willing to click 3rd party links for some things but not others.
Approach
I raised gitlab-com/marketing/digital-experience/buyer-experience!1633 (closed) which updates the policy to be more consistent uniformly. Specifically it advises:
- Support Engineers: don't click links in Support tickets.
- Customers: don't send links, we won't click on them - we'll use a documented process to receive files.
Benefit
Consistent security posture.
Competition / Alternatives
- Do nothing; this happens rarely.
- Allow engineers to use judgement: if a customer sends a 3rd party link for certain things allow it.