Introduction
This policy defines Sourcegraph's process for incoming security vulnerabilities. It defines roles, responsibilities, steps and SLAs.
The document is managed through git and history can be found in the git repository. Substantial changes to this document should be approved by the CTO and VP of Engineering. Minor changes such as formatting and presentation do not require approval.
Scope
This document concerns how we handle incoming vulnerabilities and engage with Engineering teams to ensure they are fixed. It does not cover tooling and processes to find vulnerabilities. More information on how we execute this process can be found on the Vulnerability Management Process document. The policy document is the source of truth in case there are any discrepancies between the two documents. If you find conflicting information please raise it to the attention of the Security team.
Vulnerability management stages
- Discovery: a vulnerability from any source becomes an item to be triaged by the Security team.
- Triaging: Security triages the vulnerability. If confirmed, they write a technical report and engage the code owner.
- Engineering estimation: the code owner suggests a patch and provides an estimate of the effort to complete it within the SLA defined by the severity level assigned during the triage process.
- Remediation: the code owner patches the issue. Security verifies the patch.
- Disclosure: Security discloses the vulnerability according to our vulnerability disclosure process.
Responsibilities
The Security team is responsible for:
- Responding to vulnerability reports from multiple sources and consolidating them in a single view for management
- Triaging the vulnerability reports and confirming their impact and exploitability in our systems
- Assigning a severity to confirmed vulnerabilities
- Engaging with code owners to patch vulnerabilities
- Verifying that vulnerabilities are properly fixed
- Disclosing vulnerabilities
- Adhering to the SLAs