Closed commit-dkp closed 7 years ago
My feeling is that there are no consequences, and that these are simply suggestions. But that's a weak opinion; @commit-dkp @kimberbat thoughts?
I think if we're going to miss an SLA, we need to notify the researcher and ask for an extension with a new ETA - particularly for higher severity levels - which will require an update from the remediation team. Most will be accommodating and (hopefully) not publicly announce the vuln before we've had a chance to fix. Thoughts?
I don't think we should commit to these to researchers -- we should promise only the 90-day SLA. But yes we should be in constant contact with researchers with open issues, and keep them appraised of ETAs and status. I think H1 can help us with that, but that's something we should add to our process for sure.
I suppose I should first clarify that this issue is regarding the "recommended" SLAs, not the required 90-day SLA, for which I opened https://github.com/18F/bug-bounty/issues/21 .
So I don't think these recommended dates should be described as SLAs unless we fully describe the terms of the service-level agreement we're recommending. For them to be SLAs, they need to be paired with recommended action(s).
For example (but not necessarily something I would recommend!), "missing the Low severity SLA should prompt your team to review the issue and decide whether it is still valid or not; missing the Medium severity SLA should prompt your team to review the issue and decide whether it is appropriately ranked as Medium; missing the High severity SLA should prompt your team to deliver a progress report to any internal stakeholders."
Or, we could just describe them as recommended sprint timelines or such, so that folks understand there is no "or else" to them.
Resolved by https://github.com/18F/bug-bounty/pull/25 .
https://github.com/18F/bug-bounty/blob/master/project-instructions.md recommends a different SLA for each severity level. What action(s) should be prompted by missing a recommended SLA?