Bug prioritization

Last updated:

User experience degradation

When bugs are reported it's critical to properly gauge the extent and impact to be able to prioritize and respond accordingly. These are the priorities we use across the entire engineering org, along with the relevant labels to quickly identify them in GitHub.

Please always remember to tag your issues with the relevant priority.

GitHub LabelDescription
P0Critical, breaking issue (page crash, missing functionality)
P1Urgent, non-breaking (no crash but low usability)
P2Semi-urgent, non-breaking, affects UX but functional
P3Icebox, address when possible

Security issues

Security issues, due to their nature, have a different prioritization schema. This schema is also in line with our internal SOC 2 related policies (Vulnerability Management Policy). When filing security-related GitHub issues, remember to attach label security and the appropriate priority label. More details on filing can be found in the README of the product-internal repo.

Security issue information should not be made public until a fix is live and sufficiently (ideally completely) adopted.

PostHog security issues include a priority (severity) level. This level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at FIRST.org and calculate it using the FIRST.org calculator.

GitHub LabelPriority LevelCVSS V3 Score RangeDefinitionExamples
security-P0Critical9.0 - 10.0Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, unauthorized access to/extraction of sensitive data, etc.Vulnerabilities that result in Remote Code Execution such as Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass
security-P1High7.0 - 8.9Vulnerabilities that affect the security of the platform including the processes it supports.Lateral authentication bypass, Stored XSS, some CSRF depending on impact
security-P2Medium4.0 - 6.9Vulnerabilities that affect multiple users, and require little or no user interaction to trigger.Reflective XSS, Direct object reference, URL Redirect, some CSRF depending on impact
security-P3Low0.1 - 3.9Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Common flaws, Debug information, Mixed Content