Skip to content

Draft: Clarify forced prioritization guidance for Ops Sub-department

Sam Goldstein requested to merge samgopsforceprioritization into master

Why is this change being made?

GitLab's Product Prioritization Framework is explicit about the priority with which known security vulnerabilities should be handled. In practice we have been inconsistent in following the rules and guidelines laid out in the framework. This MR clarifies how stage groups should handle known security vulnerabilities to stay consistent with the Product Prioritization Framework.

More Context

GitLab's Product Prioritization Framework explicitly lists Security fixes as Priority 1 and "forced prioritization items with SLAs/SLOs". The forced prioritization language was added by Product leaders in this MR: !48644 (merged)

We've made a change to the prioritization language to indicate they are guidelines. However, there are a few items in the table that have actual service level agreements/objectives PMs need to meet. This is a simple iteration to outline the two (Security and Availability) that are "forced."

Why does the Product framework include forced prioritization?

Security vulnerabilities are a global risk to GitLab's customers and business. If a vulnerability is successfully exploited, the damage would be to GitLab's customers and brand, not to a specific stage group. GitLab's security posture must be considered across the full product, and it is therefore not reasonable to ask stage group EMs and PMs to make prioritization tradeoff between GitLab's security posture and other team priorities. Forced prioritization is used to ensure that security vulnerabilities are handled consistently across all groups.

Author Checklist

  • Provided a concise title for the MR
  • Added a description to this MR explaining the reasons for the proposed change, per say-why-not-just-what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
  • Assign reviewers for this change to the correct DRI(s)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the "Maintained by" section in on the page being edited.
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies.
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR.
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.
Edited by Sam Goldstein

Merge request reports