Application Security Engineer Handling priority::1/severity::1 Issues
The following process is a supplement to the first few steps of the critical release process
Once a …
Application Security Runbooks
Note for New team members
Whenever you are on a rotation (HackerOne or Triage Rotation or doing your onboarding process and need help or advice, reach out in the #sec-appsec Slack channel or ask during an AppSec Sync meeting. Here are some examples on scenarios where you may need ask or need help:
- You’re doing your onboarding tasks, threat modeling, or appsec reviews, and you’re stuck on it; or don’t know how to tackle something in particular
- You’re on ping rotation and you don’t know how to deal with a particular situation or what to do with a specific question
- You’re on HackerOne rotation and have to deal with a hard report
Application Security Engineer Working With SIRT
This runbook is meant to help AppSec engineers who need to engage and work with SIRT to respond to a …
AppSec Engineer's Local Setup
When evaluating security issues or MRs, it can be useful to have a way to reproduce issues, dig in …
AppSec Frequently Asked Questions
A curated list of the most frequently asked AppSec related questions
AppSec Holiday and Friends and Family Day Coverage
This runbook describes the process for times when the Application Security team has team members …
AppSec Review Template Process
This review template is tailored to application security reviews of GitLab features. Parts of it might be applicable to other software, other parts might not.
AppSec Threat Modeling Process
This threat modeling process is tailored to GitLab features.
AppSec's Engagement Plan and Ways to Measure Usage of Secure Code Warrior
How can AppSec Engineers Contribute to the Secure Code Warrior Training Program? If anyone from the …
Bug Hunting Day Process
Bug Hunting Day Process The Application Security Team has a bug hunting day on the last Friday of …
CVSS Calculation
Please refer to the GitLab CVSS Calculator as the single-source-of-truth to determine CVSS scores on …
Dependency review guidelines for AppSec engineers
This content has been moved to Supply Chain Security for Open Source Dependencies and Libraries.
Federal AppSec Container Scan Result Review Process
Certain customers scan containers that GitLab provides for known vulnerabilities and other security …
General process for the application security team in patch releases
release-management GitLab Security Patch Release Process This document outlines the process and …
HackerOne Process
Purpose and Overview of GitLab’s Bug Bounty Program High-level description of the process …
Handling unintended vulnerability disclosures
The runbook for handling different scenarios of unintended vulnerability disclosures.
How to handle upstream security patches
release-management How to handle upstream security patches Third parties Sometimes the root cause …
Investigating Package Hunter Findings
List of Package Hunter Findings Any Package Hunter related finding can be found on this dashboard …
JiHu Contribution Merge Monitor Reports
The Merge Monitor tool looks in public GitLab repositories that JiHu contributes to for merge …
Security Dashboard Review
Frequency: Daily
AppSec engineers are responsible for triaging the findings of the GitLab security …
Triage Rotation
Application Security team members are alphabetically assigned as the responsible individual (DRI) …
Verifying Security Fixes
The review of a fix by an application security engineer is triggered by the engineer implementing …
Last modified February 4, 2025: Change ref links to regular links (
64832a18)
