Skip to content

[Feature flag] Rollout of `cve_id_request_button`

What

Remove the :cve_id_request_button feature flag

Original MR: !41203 (merged)

Owners

  • Team: @gitlab-org/secure/vulnerability-research
  • Most appropriate slack channel to reach out to: #g_secure-vulnerability-research
  • Best individual to reach out to: @d0c-s4vage

Expectations

What are we expecting to happen?

This feature flag is intended to be used to incrementally roll out the CVE ID Request button feature in the issue sidebar.

Being able to incrementally roll out the CVE ID Request button will let the Vulnerability Research team react to and handle new volumes of CVE ID requests without being overwhelmed. Additionally, if the feature is rolled out to only 10% of users, and the Vulnerability Research team receives 100 new requests within a time frame, the data could be extrapolated to estimate the number of requests the team might receive if the feature were enabled for all users.

Plan: Increase the percentage that the CVE ID Request button is rolled out on a weekly basis:

  • Week 0: 11%
  • Week 1: 33%
  • Week 2: 100%

What might happen if this goes wrong?

This feature should not have any performance impact and should not affect the stability of GitLab.

If the roll out "goes wrong", the Vulnerability Research team will be overwhelmed with incoming CVE ID requests.

What can we monitor to detect problems with this?

A project is being developed to track the Vulnerability Research team's work as a CNA: cna-stats.

The data from this project will be used calculate our average response time and whether we meet our SLA in handling incoming CVE ID requests issue for stats. The data from this project will added to Sisense issue

Beta groups/projects

  • gitlab-org/gitlab - The security team would like to use this feature as soon as it's available

Roll Out Steps

  • Enable on staging (/chatops run feature set cve_id_request_button true --staging)
  • Test on staging
  • Ensure that documentation has been updated
  • Enable on GitLab.com for individual groups/projects listed above and verify behaviour (/chatops run feature set --project=gitlab-org/gitlab cve_id_request_button true)
  • Coordinate a time to enable the flag with the SRE oncall and release managers
    • In #production mention @sre-oncall and @release-managers. Once an SRE on call and Release Manager on call confirm, you can proceed with the rollout
  • Announce on the issue an estimated time this will be enabled on GitLab.com
  • Enable on GitLab.com by running chatops command in #production (/chatops run feature set cve_id_request_button true)
  • Cross post chatops Slack command to #support_gitlab-com (more guidance when this is necessary in the dev docs) and in your team channel
  • Announce on the issue that the flag has been enabled
  • Remove feature flag and add changelog entry
  • After the flag removal is deployed, clean up the feature flag by running chatops command in #production channel

Rollback Steps

  • This feature can be disabled by running the following Chatops command:
/chatops run feature set --project=gitlab-org/gitlab cve_id_request_button false
Edited by Julian Thome