This runbook is meant to help AppSec engineers who need to engage and work with SIRT to respond to a HackerOne report, discovered vulnerability, or other security incident.
If this is a P1S1, follow the P1S1 runbook and engage the security on-call.
When using /security to engage SIRT:
/security after we have validated the vulnerability or otherwise confirmed the incidentThese are some guidelines for selecting the urgency in the /security form:
| Type of incident | Urgency | Notes |
|---|---|---|
| Any kind of S1 | Urgent (page right away) | Examples include critical vulnerabilities, exposure of red data, still-valid team member token leaks |
| Personal data leaks | Not Urgent (review within 24 hours) | Could be Urgent depending on the volume and the data |
Public merge requests fixing vulnerabilities not labeled security-fix-in-public |
See notes | S2 and above is likely Urgent, S3 and below is Not Urgent |
In some situations, we just want SIRT to be aware of something that is happening or may become an incident soon. An example of this would be a high severity unverified HackerOne report from a reliable HackerOne reporter.
Put a message in the #sd_security_operations Slack channel with a brief description of the situation. You may consider using /sirtoncall to determine who is on-call and pinging them.
For HackerOne reports, you can also import the report into a GitLab issue and then mention @gitlab-com/gl-security/security-operations/sirt on it. Keep in mind this may not be appropriate, since it will ping all team members of SIRT.