PSIRT Runbooks

PSIRT Runbooks

This section contains operational runbooks for the Product Security Incident Response Team (PSIRT).

Critical Incident Response

General Runbooks

Note for Team Members

When you’re on-call or handling a security incident and need help or advice, reach out in the #security-department Slack channel or escalate according to the Security Engineer On-Call process.

CVSS Calculation
Please refer to the GitLab CVSS Calculator as the single-source-of-truth to determine CVSS scores on …
General process for the application security team in patch releases
release-management GitLab Security Patch Release Process This document outlines the process and …
HackerOne Process
Purpose and Overview of GitLab’s Bug Bounty Program High-level description of the process …
Handling priority::1/severity::1 Issues
The following process is a supplement to the first few steps of the critical release process Once a …
Handling unintended vulnerability disclosures
The runbook for handling different scenarios of unintended vulnerability disclosures.
How to handle upstream security patches
release-management How to handle upstream security patches Third parties Sometimes the root cause …
PSIRT Case Lifecycle
Description of how PSIRT will manage cases
PSIRT Holiday and Friends and Family Day Coverage
This runbook describes the process for times when the Product Security Incident Response Team has …
Verifying Security Fixes
The review of a fix by an application security engineer is triggered by the engineer implementing …
Working with SIRT
This runbook is meant to help AppSec engineers who need to engage and work with SIRT to respond to a …
Last modified December 5, 2025: PSIRT runbook update (47ae1520)
View page source - Edit this page - please contribute. Creative Commons License