Application Security team members are alphabetically assigned as the responsible individual (DRI) for incoming requests to the Application Security team for a given calendar week in the Triage Rotation Google Sheet in the Security Team Drive.
One application security engineer is assigned this task each week and can be found at Triage Rotation.
The following rotations are defined:
~security-fix-in-publiclabel, indicating it has been approved by an AppSec team member to be fixed in public, link to the comment granting approval or include a message in Slack denoting that the
~security-fix-in-publiclabel was added.
Urgent - SEOC should be paged right awayoption if waiting up to 24 hours for a resolution would be too long.
If the Application Security team member has a conflict for the assigned week they may swap rotation weeks with another team member. This may be done for any reason including time off or the need for time to focus on a particular task.
Team members should not be assigned on weeks they are responsible for the scheduled security release.
Team members not assigned as the DRI for the week should continue to triage reports when possible, especially to close duplicates or handle related reports to those they have already triaged.
Team members remain responsible for their own assigned reports.
Exposure of information and secrets is handled a little differently to vulnerabilities, as there is nothing to patch and therefore no need for a GitLab Project Issue, CVSS, or CVE. When you're pinged during your rotation and you see a leaked secret, follow the process discribed on the HackerOne runbook