Security/SOP/Security Readiness Reviews/Response Templates

Below are some handy email and/or Phabricator response templates to use when replying to various security readiness review issues:

Path to production
Hello {Entity}-

Thank you for doing this work, we appreciate your efforts in trying to get this extension to production. Unfortunately, the Security team is unable to assign a risk rating based upon a review not performed by a member of the Security team or an approved vendor.

Current deployment policy states that a formal security review is not a hard blocker for beta deployment, but we would ask that a sponsoring team and/or manager at the Foundation be willing to accept at least a medium risk for the deployment of the extension at this time. Please note that while the Security team would like to accommodate this review request, it would likely remain a lower priority given our current security review SOP prioritization framework.

Please let us know if there is a sponsoring team and/or manager willing to accept at least a medium risk for deployment of this extension. Once we hear from you we will move forward with our regular scheduling and prioritization process. Thank you!

90 Day Rule
Hello {Entity}-

Per our Readiness Review SOP, any request that has aged 90 days without being in a reviewable state will be declined. We do this to help keep our work area current, accurate and reflective of actual work. If the status of your project changes please re-tag us and we will get this work scheduled.