Do not send 'sensitive' information in e-mail notifications
Problem to solve
Organizations however often have certain 'rules' "do not leak IP through E-Mail" for example. As e-mail is insecure by default, this is understandable, however we currently only have one checkbox to enable or disable e-mail notifications. As a administrator, I want to be have more fine grained control over what kind of notifications should be sent. E.g. only mentions, only pipeline failures etc etc.
For the MVP however, we want to ensure that even in mentions, we can disable 'quoting code'. For the MVP this can even be as simple 'only e-mail a notification that there is 'A' comment (as filtering is probably hard, if the user types code for example).
Intended users
- Cameron (Compliance Manager)
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
- Simone (Software Engineer in Test)
- Allison (Application Ops)
User experience goal
The user wants to receive e-mail notifications on changes. E.g. mentions, failed pipelines. The security people want to ensure no IP leaks via this channel.
Proposal
As mentioned above, having an additional checkbox, as to rather completely disable notifications, just send minimal notifications without any sensitive content. In the future, this can be increased to select the type of notifications (where this one be one of the options).
Permissions and Security
-
Add expected impact to members with no access (0) -
Add expected impact to Guest (10) members -
Add expected impact to Reporter (20) members -
Add expected impact to Developer (30) members -
Add expected impact to Maintainer (40) members -
Add expected impact to Owner (50) members
Documentation
This change requires documentation updates to indicate clearly the behavior and that it potentially tries to fulfill compliancy needs from the IT/Security department.
Availability & Testing
From a testing point of view, we need to ensure that with a 'minimal notification' only that is sent, no code, snippets or comments from users.
What does success look like, and how can we measure that?
IT is happy that GitLab is compliant with its security policies of not leaking confidential data.
What is the type of buyer?
While the first reaction would be that the typical buyer would by any cooperate entity, the problem is more subtle. A company may be very happy to use GitLab's free tier, but does not wish to pay for it (for whatever reason). Their solution is then simple, disable notifications, problem solved.
The people who have to suffer from this however, are the developers. They don't have a say, they don't get notifications, making their life more difficult, because of 'IT Sec'.