When a potential security vulnerability is discovered, we take the following steps:
Whenever a potential security vulnerability is discovered by a team member, we triage the issue. This involves investigating the potential scope of the problem, what may have caused it, and whether or not it may have been exploited. With this information we create a story in Pivotal Tracker within the appropriate project. After the story is created, it may be assigned to the appropriate individual(s) for additional triage.
We are influenced by the OWASP Risk Rating Methodology.
We assign three levels of severity:
In general security issues are assigned resources similarly to how we assign resources for bugs. However, we use time-based thresholds to ensure that all security issues are resolved within a reasonable amount of time given the severity of the issue. High severity issues must be fixed (significantly) more quickly than Medium severity issues. Medium severity issues must be fixed more quickly than Low severity issues.
In addition to resolving security issues as they are resolved, we also take several steps to increase our security.