User experience degradation
When bugs are reported it's critical to properly gauge the extent and impact to be able to prioritize and respond accordingly. These are the priorities we use across the entire engineering org, along with the relevant labels to quickly identify them in GitHub.
Please always remember to tag your issues with the relevant priority.
|P0||Critical, breaking issue (page crash, missing functionality)|
|P1||Urgent, non-breaking (no crash but low usability)|
|P2||Semi-urgent, non-breaking, affects UX but functional|
|P3||Icebox, address when possible|
Security issues, due to their nature, have a different prioritization schema. This schema is also in line with our internal SOC 2 related policies (Vulnerability Management Policy). When filing security-related GitHub issues, remember to attach label
security and the appropriate priority label. More details on filing can be found in the README of the
Security issue information should not be made public until a fix is live and sufficiently (ideally completely) adopted.
PostHog security issues include a priority (severity) level. This level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at FIRST.org and calculate it using the FIRST.org calculator.
|GitHub Label||Priority Level||CVSS V3 Score Range||Definition||Examples|
|security-P0||Critical||9.0 - 10.0||Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, unauthorized access to/extraction of sensitive data, etc.||Vulnerabilities that result in Remote Code Execution such as Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass|
|security-P1||High||7.0 - 8.9||Vulnerabilities that affect the security of the platform including the processes it supports.||Lateral authentication bypass, Stored XSS, some CSRF depending on impact|
|security-P2||Medium||4.0 - 6.9||Vulnerabilities that affect multiple users, and require little or no user interaction to trigger.||Reflective XSS, Direct object reference, URL Redirect, some CSRF depending on impact|
|security-P3||Low||0.1 - 3.9||Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.||Common flaws, Debug information, Mixed Content|