Product should get sign-off from Security if we plan to slip a due date
Multiple teams are feeling the pinch from security issues in %11.7, and we expect this to be amplified when HackerOne goes public on December 11.
Currently, Manage has 12 open P2s and 55 open P3s. Following our SLA rules for security issues would mean that these 67 issues must all be closed within 90 days. For a team of 4 backenders, closing security issues at a pace of ~22 per release is just not possible.
Given that we'll need to prioritize and miss due dates on a substantial number of these issues, we should consider a process for doing so in a transparent way that gives the Security team a chance to highlight areas of greatest risk, which we'll prioritize.
When a PM anticipates this happening, it should be acceptable to propose a plan that highlights the security issues that we anticipate missing on. Once we identify these in the proposal, we can elect to postpone to a future release or try and find other engineering resources to close the gap ASAP.