Sometimes the fix is very simple, sometimes it's not. If the impact to users is greater than the time it takes to apply the long-term fix, you will need to consider a short term solution as well as the long term one. Otherwise, if you and the development team are confident the fix is straightforward and simple, then you only need to do the long term fix and roll it out in a critical security release.
Collaborate with the development, security, and SRE/infrastructure teams to brainstorm short term solutions until a long term patch can be released.
Analyze the impact for each option.
How effective is it at solving the problem?
How many customers are affected by this decision?
How exactly are they affected?
What's the magnitude?
What other positive and negative consequences are there?
Choose the solution that best balances the concerns above with the concerns of participating teams.
Approval is not required, but clear communication of decision is necessary. Notify the Director of Security, Directory of Infrastructure, and any other parties involved with the proposals and decision.
Once the short term solution has been delivered, validate that the fix was effective.
Some past short term options have been:
HA proxy to block certain endpoints.
Disable a specific feature using feature flags or application configuration.
Appsec engineers are not on-call. That means when the assigned appsec engineer end of day arrives, they are responsible for handing it off to a next appsec engineer in a subsequent timezone. If no appsec engineer is available, handoff to the secops engineer on-call.