Security report schemas release policy

Release notes

Problem to solve

As part of introducing the Generic security report schema, we've embedded the security report schemas into GitLab so that we could perform schema validation on security report artifacts.

Before validation is enforced for all security reports, we need to agree on how schema changes are proposed, implemented and deployed across the analyzers and the GitLab rails application.

See also @sethgitlab's example.

Proposal

Any changes to the security report schemas or their release process must follow these rules:

1. Proposed changes to be reviewed by the architectural council
2. Proposal must be explicitly responded by groupthreat insights.
3. Backwards-compatible changes that have been approved can be released with any GitLab minor version.
4. Backwards-incompatible changes need to:
   1. Be announced at least 3 months in advance.
   2. Be released at GitLab X.0 and X.6 milestones.