Closed commit-dkp closed 7 years ago
A monthly report on closure timeliness is advised: https://www.dhs.gov/sites/default/files/publications/4300A-Handbook-Attachment-H-POAM-Guide.pdf
As I wrote in #21,
I want to avoid mixing gov't policy with our own; as we say in the project instructions doc, "note that bug bounty resolution is entirely separate from any federal policy and compliance with one does not confer compliance with the other." There may indeed be further consequences to programs that don't resolve issues within required SLAs, but they aren't our consequences.
These SLAs are my own; they're roughly what I've observed to be common practice in the private sector. Super un-scientific, though; I'm definitely open to other suggestions!
@jacobian I don't have different SLAs to suggest, I only opened this issue because project managers will want to know if what you're recommending is something they're already doing, easier than what they're already doing, or harder than what they're already doing. And if the answer is "easier" or "harder", they'll want to know why.
@commit-dkp I'm not completely sure I follow; want to suggest some language to add to the doc, or open a PR? Otherwise I'm not sure exactly what the task should be here.
Resolved by https://github.com/18F/bug-bounty/pull/25 .
From https://github.com/18F/bug-bounty/blob/master/project-instructions.md:
High severity: 7 days Medium severity: 30 days Low severity: 90 days
Do these recommended SLAs meet, exceed, or fall short of federal policy? If they exceed or fall short, why?