### Problem to solve Add metrics to show the value of the vulnerability feature to customers, prospects, employees and security practitioners ### Intended users * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * GitLab employee * Security practitioner ### Further details Track cross-customer metrics for first-class vulnerabilities so that we and our customers can: * Know adoption of the first-class vulnerability feature so customers, prospects, and employees can become confident in it * Know top trends in vulnerabilities tracked as first-class vulnerabilities so that security practitioners (customers and prospects) can be better informed in vulnerability security trends <!-- Include use cases, benefits, and/or goals (contributes to our vision?) --> ### Proposal Adoption - publish in Periscope and add to a page under the defend group (public): * Number of customers with >=1 vulnerability tracked (monthly) - customers tracking vulnerabilities in GitLab * Number of customers with >=1 vulnerability updated (monthly) - customers working vulnerabilities in GitLab * Total vulnerabilities tracked (monthly) Security trends - publish in Periscope and add to a page under the defend group (public). Do quarterly blog on trends observed and recommendations for customers based on those trends. * Number of added vulnerabilities by count and by number of unique customers (monthly) - vulnerability trends ### Permissions and Security <!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)?--> * This data will be public. Question: Do we want to make the adoption statistics public? * We will not collect data from self-hosted customers. * We will not display and customer-specific data. ### Documentation TBD ### Availability & Testing TBD ### What does success look like, and how can we measure that? * The metrics are available in new handbook pages ### What is the type of buyer? TBD ### Links / references cc @matt_wilson @plafoucriere @cblake @david @tstadelhofer