|Mark Art||Manager, Vulnerability Research Engineering|
|Isaac Dawson||Staff Vulnerability Research Engineer, Vulnerability Research|
|Julian Thome||Senior Vulnerability Research Engineer, Vulnerability Research|
Vulnerability Research is a research & development team. While not being a product team, our work directly impacts the product. Our mission is to perform security research and develop proofs of concept that increase the capabilities and effectiveness of the Sec section. Additionally, the team's mission is to share security expertise and practical experience. To learn more about the latter, you can follow updates to our brown-bag sessions and the Gitlab blog (#security, #security-research, #vulnerability-research tags in particular).
Ideally, research and proofs of concept produced by the team will be able to be quickly dogfooded, with GitLab itself being the first customer. Successful iterations of developed tools can then be transitioned into the product to be made available to the wider GitLab community in an automated fashion.
The Vulnerability Research team uses the standard priority labels to determine priority however those may carry a different meaning compared to the usage in product teams:
||red||The most critical task. Normally, only hull breaches should prompt a P1. Synonymous with incident. Examples: CNA/GemnasiumDB automation broke and needs to be fixed ASAP.|
||yellow||A "roadmap" item. Large projects that we work on for months fall into this category.|
||green||Tasks like discovery, nice-to-have PoCs, anything that we won't loose much by letting it sit there in the backlog.|
Any unlabeled issues are considered unprioritized, i.e. lowest-priority backlog.