Often customers conduct due diligence and vendor risk management processes on suppliers, this is not uncommon and GitLab even conducts security reviews of our vendors, Third Party Vendor Security Review Process.
GitLab operates differently; Specifically we are extremely transparent and we Iterate quickly while allowing anyone to contribute. Because of this, many questions a customer or prospect may have are already documented publicly.
[keywords]with what one are searching for.
about.gitlab.com vulnerability management overview. This search would quickly yield our Vulnerability Management Overview Handbook Page
Important NOTE: Follow-on questions greater than 5 questions are considered a new questionnaire and must be created as a new SA Triage Issue or reset the desired completion date for the SA triage issue.
If you are a team member taking a "first pass" on the customer questionnaire you have several additional resources available to you to help complete these questionnaires. It is our priority to provide Solutions Architects the information they need to answer between 80% and 90% of customer questions.
[keywords] in:[channel name]
Security Ready for Review
There is currently no published guidance on SLA from customer request to Account Owner response.
There is currently no published guidance on SLA from Account Owner assignment to response from Solutions Architect.
Security Ready for Review
Once the issue on the SA Triage Board is successfully labeled
Security Ready for Review Field Security will acknowledge issue within 1 business day. Field Security is currently located in US Eastern Timezone and observes all US Federal holidays
Once Field Security has accepted the issue, all efforts will be made to complete the questionnaire within 10 calendar days. Questionnaires are prioritized based off opportunity tier and guidance from sales leadership. In some cases the 10 calendar day timeline can not be met, in this case Field Security will provide an updated estimated completion date.
Field Security will respond to issues once they are labeled
Security Ready for Review, when responding Field Security will respond one of 3 ways:
Security Ready for Review, comment on what is unsatisfactory, see Return to Solutions Architect
NOTE: This is an overview, for detailed steps see For GitLab Team Members
In the event that the issue isn't ready for Field Security, it may be returned to the Solutions Architect with language similar to the below blockquote.
I'm sorry we have to return this issue to you. The following issues are preventing us from beginning our review of this assessment.
We are removing the
Security Ready for Review Label until these issues are resolved.
If you have further questions please feel free to message in Slack #sec-fieldsecurity or you can DM me directly.
/unlabel ~"Security Ready for Review"
In the event Field Security can not meet the requirements of the Sales Team it is important to update the Solutions Architect, Account Owner, and Security Leadership as soon as possible.
[Solutions Architect] and [Account Owner],
I'm sorry to inform you that due to [circumstances] we will be unable to meet your desired completion date of mm/dd/yyyy. We are truly sorry about this but we wanted to communicate and set expectations early.
Currently we estimate we can complete this request by [mm/dd/yyyy]. Please feel free to message in Slack #sec-fieldsecurity or you can DM me directly. I'm copying in my leadership to inform them of the issue.
In the interim, please have a look at our Customer Assurance Package
We look forward to resolving this request.
/cc @jburrows001, @julia.lake