### Overview As a 3rd iteration of the similar [FY21Q4 OKR](https://gitlab.com/groups/gitlab-com/gl-security/-/epics/79), the goal of this FY22Q1 OKR is to iterate on and enhance the Security Awards Program. The purpose of the [Security Awards program](https://about.gitlab.com/handbook/engineering/security/security-awards-program.html) is to incentivize GitLab staff members, in particular Software Engineering, to solve as many security-related issues and problems as possible. ### DRI @plafoucriere ### Top-level OKR Alignment **Great Team**: This OKR aligns with the goal of building a great team. With this program, we will create a sense of community, competition, esteemed recognition, and excitement to participate. ### Goals - Reduce time spent managing the program, by automating as much as possible - Broaden recognized initiatives - Creation of an AppSec bucket, where Security Engineers drop issues, Epics, or Merge Request that would improve significantly the product ## Retrospective _Note: The percent complete value is estimated based on the weighting of the supporting KRs, where some KRs require a greater amount of more complex work to complete._ ### Good - The whole process is now automated. We just review the data once a week prior to merge in the main repo, other than that everything run on auto-pilot now. - The [Security Awards cli](https://gitlab.com/gitlab-com/gl-security/engineering-and-research/security-awards) has been a good opportunity to experiment with our new [Threat Modeling guidelines](https://about.gitlab.com/handbook/security/threat_modeling/): https://gitlab.com/gitlab-com/gl-security/appsec/threat-models/-/merge_requests/2 - The program has been extended to the whole security department. - A [blog article](https://gitlab.com/gitlab-com/gl-security/security-communications/communications/-/issues/376) is going to be published on this program. ### Bad - We still have issues with the prizes. We entirely rely on Amazon gift cards now, which is not working great in some locations (or people) - Couldn't find time to implement the [priority bucket](https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/115) ### Try - Consider giving bonuses (comp) instead of Amazon gift cards for people without a local Amazon entity - More engagement of the team(s) to nominate more actions.