Final version for Vulnerability SLA updates (other MRs aged out) (!114057) · Merge requests · GitLab.com / www-gitlab-com

Why is this change being made?

This MR makes two key changes:

Sets the remediation SLA for High CVSS findings from our scanners to be a S1/P1 to comply with FedRAMP requirements. Previously they would be categorized as S2/P2.
Sets the remediation SLA for S4 to 180 days only for vulnerabilities

The rationale for these changes is:

Comply with FedRAMP CVSS handling requirements
Relies on a Triage Bot to nudge/remind folks in particular for S4 which has a custom SLA

Related MR (aged): !109378 (closed)

Additional procedural updates to follow

Provided a concise title for this Merge Request (MR)
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
- Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
- If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
- If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.

Edited Oct 31, 2022 by Julia Lake