Required SLA Consequences?

[commit-dkp]

From https://github.com/18F/bug-bounty/blob/master/project-instructions.md:

"Projects that participate in the bug bounty program inherit a SLA: Issues must be resolved within 90 (calendar) days of being reported."

What happens if an issue is not resolved within 90 calendar days of being reported?

[cryptofilegsa]

In terms of what happens after 90 days, consider comparing to the FedRAMP POA&M process: https://www.gsa.gov/graphics/staffoffices/FedRAMP_POAM_Template_050212_508.doc

[jacobian]

@commit-dkp dunno, what do you think? Obviously at some point the consequence is that we kick the program out of the bounty, but should that be zero tolerance? "Three strikes and your out?" I'm wary of hard and fast rules because the real world is complicated, but that clashes with my desire to be clear and consistent. Thoughts?

@cryptofilegsa I want to avoid mixing gov't policy with our own; as we say in the project instructions doc, "note that bug bounty resolution is entirely separate from any federal policy and compliance with one does not confer compliance with the other." There may indeed be further consequences to programs that don't resolve issues within required SLAs, but they aren't our consequences.

[commit-dkp]

@jacobian Agreed, the real world is complicated. My inclination is to suggest that if the required 90-day SLA is missed, at least two things should happen:

1. The 90-day SLA should be reviewed that it is still aligned with everyone's goals. It is entirely possible that it might not be. The real world being complicated, the SLA may be an over-simplification.

2. The Bug Bounty team should do a root cause analysis with the violating team to determine if the reason for the violation could be avoided in the future. If the violation can be avoided, folks need to agree to take the identified steps; if folks can't agree, or the violation can't be avoided, then participation in the bug bounty should be put on hold.

[commit-dkp]

Resolved by https://github.com/18F/bug-bounty/pull/25 .