Vulnerability Management Team

This handbook page describes how the Vulnerability Management team works on a day to day, quarter to quarter basis. We recognize this process is iterative and requires regular introspection to ensure we are always improving and not stagnating in our approach.

Mission

The Vulnerability Management team enables GitLab to ship secure software to customers by providing comprehensive visibility into security vulnerabilities and driving efficient remediation through automated workflows, standardized processes, and clear risk communication. Our team serves as the central hub for vulnerability intelligence, tooling, and metrics that empower teams to proactively manage security risk across GitLab’s evolving technology landscape.

Value Proposition

We provide automated vulnerability detection, standardized remediation workflows, and comprehensive risk visibility so that stakeholders and customers can confidently build and deploy GitLab securely while maintaining development velocity and meeting compliance requirements.

Scopes and Responsibilities

Primary Areas of Ownership

Vulnerability Management Standards & Procedures

  • Establishing and maintaining vulnerability management policies
  • Defining SLA frameworks and remediation timelines
  • Creating exception and risk acceptance processes
  • Setting scanning requirements and coverage standards

Vulnerability Detection & Correlation

  • VulnMapper development and maintenance
  • Integration with multiple vulnerability data sources
  • Normalization of vulnerability findings
  • Advisory data management and correlation

Automated Workflow Management

  • Creation and routing of vulnerability tracking issues
  • Exception request handling

Program Coverage & Visibility

  • Infrastructure vulnerability scanning (GitLab.com, Dedicated)
  • Container and dependency scanning oversight

Program Metrics & Reporting

  • Stakeholder-scope risk communication (See Metrics below)
  • Customer-facing artifact generation
  • Supporting compliance audit evidence collection

Supporting Efficient Remediation

  • Identifying and documenting challenges to remediation
  • Automating remediation workflows
  • Providing documentation

FedRAMP

  • Vulnerability scanning tooling
  • Automated generation of vulnerability artifacts

Shared Responsibilities

Vulnerability Triage

The vulnerability triage model is distributed across teams based on expertise and domain knowledge. This approach improves efficiency and accuracy of vulnerability assessment.

  • Vulnerability Management

    • Providing automated contextual enrichment for all vulnerabilities
    • Supplying patch availability information and vendor triage status
    • Maintaining integration with advisory data sources
    • Ensuring consistent labeling and workflow routing

  • Application Security

    • Triaging HackerOne reports and bug bounty submissions
    • Assessing exploitability and impact for application vulnerabilities
    • Validating SAST and DAST findings

  • Infrastructure Security

    • Triaging cloud/infrastructure misconfigurations
    • Validating Wiz cloud security alerts
    • Prioritizing infrastructure remediations

  • Engineering

    • Triaging GitLab tooling findings related to their application components
    • Providing business context for vulnerability risk assessment
    • Assessing technical feasibility of remediation approaches
    • Validating dependency vulnerabilities in their codebase

  • Engagement Model

    • Triage SLAs defined by vulnerability severity
    • Cross-team collaboration coordinated through GitLab issues
    • Automated triage workflows through VulnMapper

Out of Scope

Direct Vulnerability Remediation

Tasks owned by AppSec/Engineering/Infrastructure:

  • Writing code fixes for vulnerabilities
  • Deploying patches
  • Making infrastructure changes
  • Direct system modifications

Owned by CorpSec

  • End user system asset management
  • Patch tracking and measurement on end user systems
  • Reporting of end user system vulnerabilities

GitLab platform Vulnerability Management features

  • GitLab Security Dashboard / Report features used by customers
  • Development/Maintenance of CI/CD vulnerability scanning tools
  • The GitLab advisory database
  • Owned by various teams in the Sec section depending on feature.

Contacting Us

Slack

  • #g_security_vulnmgmt - public team channel for questions and follow team communication
  • #threat_vuln_management - private team channel increasingly used primarily for team automation
  • @vulnerability-management - Slack group handle

GitLab

  • @gitlab-com/gl-security/product-security/vulnerability-management

FY26 Strategic Initiatives

  • FedRAMP
  • Maturing program focus areas
  • Program Advocacy

Planning

Vulnerability Management follows GitLab product milestones

Prior to a new milestone beginning, planning is performed to define the expected outcome of the next milestone, and the work required to accomplish it. We review our ability to deliver this work within the milestone and commit/adjust to issues to fit. Additionally, any work which is not scoped or not sized is qualified and labelled.

How do we breakdown quarterly items into appropriately sized work items (issues)?

Ideally, sizing and planning labels are added as new issues are created. We aim to define work as small actionable issues to assist with fitting work into milestones and being able to parallelize work. Where work has not been sized and scoped, we do this sizing and scoping work during milestone planning for items we want to schedule for that milestone.

Refinement & Sizing

Work is sized based on the estimated percentage of a milestone required to complete the task as it is defined. Work is defined as clearly as possible to try and minimize the impact of misunderstood requirements leading to scope creep. Issue sizing is performed on a defined scale of issue weights and sizing labels.

These steps are used as guidelines:

  1. Check the issue for sufficiently detailed requirements needed to accomplish the desired outcome.
  2. If the requirements or outputs are not clear enough to confidently assess whether the issue is actionable and how much of the milestone it would consume, it needs to be refined.
  3. Add appropriate weighting & labels to the issue based on the estimated time to investigate, research and deliver the documented outputs.
  4. Request help/assistance from other parties when the issue requires cross team collaboration during planning if possible.

Issue Weighting

This is the scale used to size issues for scheduling. Note, the estimated durations are referring to overall effort, not scheduling duration. For example, if a large task can have several small tasks created and parallelized, it may be completed in less than 4+ weeks of scheduled time, but still be appropriately sized as a large work item.

Issues should be labelled with a development label to describe the expected level of effort required.

Additional Labels Used

In addition to the sizing labels detailed in the previous section, the following labels are used in prioritization and planning.

Label Purpose Scoped
~“vuln-mgmt-BAU” This issue represents work which is part of regular or BAU (“business as usual”) activities, which do not require explicit planning No
~“vulnerability-management-tooling::*” Scoped label indicates which tool or automation this issue relates to. To be used for tooling owned by Vulnerability Management Yes
Last modified June 3, 2025: Add vulnerability management team charter (16e1e845)
View page source - Edit this page - please contribute. Creative Commons License