Update Vulnerability Management handbook page with several procedure and automation clarifications
Why is this change being made?
💡 Provide a detailed answer to the question on why this change is being proposed, in accordance with our value of Transparency.
Several team members have recently had clarifying questions which they needed to ask the Security team to unblock them. These changes clarify parts of the Vulnerability Management standard and procedure to address questions team members have had about -
- When they can safely close vulnerability tracking issues
- How they can avoid non-actionable vulnerabilities cluttering issue boards
- How specific situations with vendor package dependencies should be handled
- Current automation functionality and roadmap items
- The difference between package fix statuses used in labels
By clarifying & expanding on these procedures and providing common scenarios in the handbook page we will:
- Unblock team members when working with security vulnerabilities
- Increase the clarity and confident with which team members can handle vulnerability findings in the projects they are responsible for
- Provide more transparency about why procedures are in place
- Provide more transparency around automation and current limitations
- Encourage team members to collaborate with Security on ways we can improve these procedures
- Encourage team members to collaborate with Security on building impactful and helpful automation
Author and Reviewer Checklist
Please verify the check list and ensure to tick them off before the MR is merged.
-
Provided a concise title for this Merge Request (MR) -
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what - Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
-
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI) - If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
Maintained by
section on the page being edited - If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
- The when to get approval handbook section explains the workflow in more detail
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
-
For transparency, share this MR with the audience that will be impacted. -
Team: For changes that affect your direct team, share in your group Slack channel -
Department: If the update affects your department, share the MR in your department Slack channel -
Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR - For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter
-
Edited by James Hebden