search

18F / bug-bounty

OUT OF DATE: Internal documentation for TTS's bug bounty.
https://github.com/18F/tts-tech-portfolio/issues/49
Other
9 stars 5 forks source link

Recommended SLA Consequences? #23

Closed commit-dkp closed 7 years ago

commit-dkp commented 7 years ago

https://github.com/18F/bug-bounty/blob/master/project-instructions.md recommends a different SLA for each severity level. What action(s) should be prompted by missing a recommended SLA?

jacobian commented 7 years ago

My feeling is that there are no consequences, and that these are simply suggestions. But that's a weak opinion; @commit-dkp @kimberbat thoughts?

kimberbat commented 7 years ago

I think if we're going to miss an SLA, we need to notify the researcher and ask for an extension with a new ETA - particularly for higher severity levels - which will require an update from the remediation team. Most will be accommodating and (hopefully) not publicly announce the vuln before we've had a chance to fix. Thoughts?

jacobian commented 7 years ago

I don't think we should commit to these to researchers -- we should promise only the 90-day SLA. But yes we should be in constant contact with researchers with open issues, and keep them appraised of ETAs and status. I think H1 can help us with that, but that's something we should add to our process for sure.

commit-dkp commented 7 years ago

I suppose I should first clarify that this issue is regarding the "recommended" SLAs, not the required 90-day SLA, for which I opened https://github.com/18F/bug-bounty/issues/21 .

So I don't think these recommended dates should be described as SLAs unless we fully describe the terms of the service-level agreement we're recommending. For them to be SLAs, they need to be paired with recommended action(s).

For example (but not necessarily something I would recommend!), "missing the Low severity SLA should prompt your team to review the issue and decide whether it is still valid or not; missing the Medium severity SLA should prompt your team to review the issue and decide whether it is appropriately ranked as Medium; missing the High severity SLA should prompt your team to deliver a progress report to any internal stakeholders."

Or, we could just describe them as recommended sprint timelines or such, so that folks understand there is no "or else" to them.

commit-dkp commented 7 years ago

Resolved by https://github.com/18F/bug-bounty/pull/25 .