Very proud of our security team for the responsive communication and ensuring the issue is made public <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues/54189#note_128763324" rel="nofollow">https://gitlab.com/gitlab-org/gitlab-ce/issues/54189#note_12...</a>
Thank you for submitting this report. We will investigate the issue as soon as possible.
Due to our current workload, we will get back within <i>20 business days</i> with an update.<p>Best regards,
GitLab Security Team<p>Luckily someone looked at this sooner than a month later! You can see where Google's project zero came in - push for folks to prioritize security.
It would be really cool to see a blog post on how this was handled internally. IR team notification, escalation paths, internal verification, how the product team was notified, determining priority, how you decide when to disclose vs not, etc.