This is a curated list of commonly asked questions related to Application Security. If you have a question that is not answered here or in the handbook page please reach out to the AppSec slack channel #sec-appsec.
Check if the related confidential security issue has the label ~"security-fix-in-public". This label means that the security issue is already accepted to be to be addressed in public, so it is ok to have this MR in public. If this is not the case then Engage the Security Engineer On-Call to delete the MR and branch.
In GitLab, @ mention @gitlab-com/gl-security/appsec and the AppSec engineer on rotation will respond. In Slack, reach out on #sec-appsec.
We do not maintain 3rd party images. As appropriate we will follow our Disclosure Guidelines for Vulnerabilities in 3rd Party Software, our Vulnerability Management Policy, and our Release and Maintenance Policy.
