### Problem to solve <!-- What problem do we solve? --> It is difficult for users and GitLab staff to understand what is and is not currently inside the Vulnerability Database and information about how often this information is updated. It is difficult for users to understand when a new vulnerability is announced, if GitLab is already scanning for it or if they are potentially exposed to it. When users don't understand what we are scanning for and if it is current, they become fearful and have doubts. If they can't get the answer to the questions they have, they either have to live with that fear or engage with GitLab field staff. ### Intended users <!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later. * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Presley (Product Designer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#presley-product-designer) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Dana (Data Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#dana-data-analyst) * [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#simone-software-engineer-in-test) * [Allison (Application Ops)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#allison-application-ops) Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/ --> * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager) * [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager) * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) ### Further details <!-- Include use cases, benefits, and/or goals (contributes to our vision?) --> There have been several customers conversations along the lines of "I heard about CVE XYZ - am I protected against it?" that this is intended to help address. This has come from non-security engineers, such as PMs, release managers, or CXOs. ### Proposal <!-- How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey --> Create a new page inside GitLab.com that allows viewers to: 1. ~~See how many vulnerabilities are currently in the Vulnerability Database~~ - This requirement was removed since it requires a large amount of context for the numbers to be meaningful beyond a vanity metric. We anticipate many users will not have this context when viewing the screen so it is not helpful. We will consider re-adding it in a new issue if we get feedback that the raw number would be helpful. 1. The last time the database was updated 1. What our current mean time-to-merge is 1. Search for a specific CVE and see if we currently scan for it. 1. Domain must be inside GitLab.com and not part of the Handbook Note: This page does not need to be part of a self-hosted installation - there can be a single copy hosted on GitLab.com. Consider re-using the work done at https://caneldem.gitlab.io/vuln-pages/, https://about.gitlab.com/handbook/engineering/development/performance-indicators/#cve-issue-to-update, and the [Security Advisories dashboard](https://app.periscopedata.com/app/gitlab/588449/Security-Advisories) for this. ### Permissions and Security <!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)?--> Should be publicly visible on GitLab.com ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html Add all known Documentation Requirements here, per https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements If this feature requires changing permissions, this document https://docs.gitlab.com/ee/user/permissions.html must be updated accordingly. --> Documentation should be updated to reference the new page. ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. --> * Field staff can confidently answer customers that a given vulnerability they are concerned about is being scanned for. => Canvas field staff that they get value out of the page * Customers can directly access vulnerability information to understand what we scan for. => Measure page views ### What is the type of buyer? <!-- Which leads to: in which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers --> ### Is this a cross-stage feature? <!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features --> ### Links / references * [Security Advisories dashboard](https://app.periscopedata.com/app/gitlab/588449/Security-Advisories) * [CVE updates in handbook](https://about.gitlab.com/handbook/engineering/development/performance-indicators/#cve-issue-to-update) * [Can's Vulnerability list page](https://caneldem.gitlab.io/vuln-pages/)