Security Capabilities Engineering

Security Capabilities Engineering Team Charter

Organizational Structure

Security Capabilities Engineering consists of three complementary teams:

Vulnerability Management

  • Focus: Vulnerability detection, workflow automation, and risk visibility
  • Key Deliverables: Automated triage, scanning coverage, customer artifacts, FedRAMP automation

Product Security Incident Response Team (PSIRT)

  • Focus: Vulnerability triage, coordinated remediation & disclosure, and security releases
  • Key Deliverables: Bug bounty program management, variant hunting, coordinated vulnerability remediation, and security releases coordination

Product Security Engineering (ProdSecEng)

  • Focus: Security automation, product contributions, and tooling integration
  • Key Deliverables: Security features, process automation, custom tooling maintenance and migration

Mission Statement

Security Capabilities Engineering enables GitLab through collaborative processes, data insights, and automation to build customer trust. We serve as the force multiplier for Product Security by transforming vulnerability intelligence into actionable insights, creating scalable security capabilities, and establishing the processes and tooling that enable GitLab to ship secure software at velocity.

Value Proposition

We provide comprehensive vulnerability lifecycle management, scalable automation solutions, and data-driven security insights so that GitLab’s engineering teams can build and ship secure software with confidence, customers receive transparent and timely security information, and Product Security teams can focus on high-value strategic initiatives rather than manual operations.

Strategic Vision

Security Capabilities Engineering operates at the intersection of three critical capabilities:

  • Data Insights That Inform Decisions: Transform vulnerability data into actionable intelligence and transparent customer artifacts
  • Product-First Automation That Scales: Build security capabilities to support using GitLab to secure GitLab, validating solutions before customer adoption
  • Processes That Enable Others: Establish standardized, documented workflows that create consistency and efficiency across the security lifecycle

Scope and Responsibilities

Primary Areas of Ownership

Security Capabilities Engineering owns the end-to-end vulnerability lifecycle and enabling automation across GitLab:

Vulnerability Intelligence & Lifecycle Management

  • Detection & Correlation: Comprehensive vulnerability scanning across GitLab-hosted environments, artifacts, and their associated supply chains
  • Triage & Assessment: Technical evaluation of vulnerability severity, exploitability, and business impact
  • Remediation Coordination: Collaboration with Engineering teams to prioritize and verify security fixes
  • Coordinated Disclosure: Management of bug bounty program and responsible vulnerability disclosure

Security Automation & Engineering

  • Product Security Tooling: Development and maintenance of specialized automation that enables scalable Product Security operations
  • Security Enhancement Features: Product contributions that reduce GitLab’s risk and enhance customer security capabilities
  • Tooling Integration & Sunsetting: Migration of custom security tooling into GitLab product features

Data & Metrics

  • Vulnerability Metrics & Reporting: Strategic and operational metrics for security posture visibility
  • Compliance Artifacts: Automated generation of compliance-facing security documentation
  • Risk Communication: Data-driven narratives that inform strategic decisions across GitLab

Interface Points

Internal Security Team Collaboration

  • Application Security (AppSec): Knowledge sharing, specialized product knowledge during incidents
  • Security Platforms & Architecture (SPA): Exploitability POC development, Product Security Risk Register (PSRR) alignment
  • Infrastructure Security: Cloud/infrastructure vulnerability triage, Wiz integration
  • Security Operations (SecOps): Incident support, threat detection IOC/POC development
  • Security Assurance: Compliance artifacts

Engineering & Product Collaboration

  • Development Teams: Vulnerability issues in GitLab, remediation collaboration
  • Product Teams: Early engagement on security features, user story validation, tooling integration planning
  • Release Management: Security patch coordination, version compatibility assessment

External Stakeholders

  • Customers: Transparent vulnerability disclosure, security advisories, compliance artifacts
  • Security Researchers: HackerOne program management, coordinated disclosure process
  • Security Community: Public disclosure coordination, industry best practices sharing

Out of Scope

Not owned by Security Capabilities Engineering:

  • Feature security reviews and threat modeling (owned by AppSec)
  • Infrastructure and cloud security architecture (owned by InfraSec)
  • End-user system vulnerabilities and patching (owned by CorpSec)
  • Direct vulnerability remediation (owned by Engineering)
  • Security compliance programs (owned by Security Assurance)
  • GitLab Security product features (owned by Sec Section product teams)

Operating Model

Core Processes

Vulnerability Lifecycle Workflow:

  1. Detection: Automated scanning across environments using Wiz, Trivy, and custom tooling
  2. Correlation & Enrichment: VulnMapper normalizes findings and adds contextual data
  3. Triage: Distributed model based on vulnerability type and team expertise
  4. Remediation: Coordination with Engineering, tracking through GitLab issues
  5. Verification: Validation that fixes are complete and not bypassable
  6. Disclosure: Customer communication through security releases, CVEs, and advisories

Automation Development:

  1. Intake & Evaluation: Requests assessed against automation criteria and product fit
  2. Use Case Documentation: Clear problem statement and success criteria
  3. Product Alignment: Assessment of fit with GitLab product vision
  4. Development: Iterative development following GitLab workflow labels
  5. Validation: Testing with security team stakeholders (Customer Zero)
  6. Handoff: Transition to appropriate product team or operations maintenance

Metrics & Reporting:

  1. Data Collection: Automated capture from VulnMapper, GitLab issues, and HackerOne
  2. Analysis: Contextual enrichment and trend identification
  3. Stakeholder Communication: Tailored reporting for different audiences
  4. Continuous Improvement: Feedback loops to refine processes and priorities

Communication Channels

GitLab:

  • Issue trackers in respective team projects
  • MR reviews and collaboration on security fixes
  • Epic tracking for cross-team strategic initiatives
  • @gitlab-com/gl-security/product-security/vulnerability-management (Vulnerability Management)
  • @gitlab-com/gl-security/product-security/psirt-group (PSIRT)
  • @gitlab-com/gl-security/product-security/product-security-engineering (ProdSecEng)

Slack:

  • #security_help - Primary channel for security questions and requests
  • #security-discuss - Broader security discussions and knowledge sharing
  • @vulnerability-management - Slack handle for VM team
  • @psirt-team - Slack handle for PSIRT team
  • @product-security-engineering - Slack handle for ProdSecEng team

FY27 Initiatives

  • Use Data as a Strategic Asset
  • Establish a Unified Vulnerability Lifecycle
  • Build a Product-First Mindset
Last modified February 5, 2026: Add Security Capabilities Engineering team charter (9ed1cc30)
View page source - Edit this page - please contribute. Creative Commons License