Clarify labeling for vulnerabilities behind feature flags

Michelle Torresrequested to merge
michelletorres-master-patch-46213 into master

Why is this change being made?

According to https://about.gitlab.com/handbook/engineering/security/#severity-and-priority-labels-on-security-issues, time based SLAs do not apply to known vulnerabilities that are feature flagged and disabled.

Unfortunately, there is no easy way to identify if a vulnerability is feature flagged and that flag is disabled.

This MR adds clarification on how to label vulnerabilities issues to identify if they are behind a feature flag and it is disabled.

Relates to https://gitlab.com/gitlab-com/ops-sub-department/ops-engineering-management/-/issues/129

Author Checklist

  • Provided a concise title for this Merge Request (MR)
  • Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
  • Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.
Edited by Michelle Torres

Merge request reports