possible process change on security hire #115
Conversation
| 1. You write your first Sourcegraph [RFC](https://about.sourcegraph.com/handbook/communication/rfcs) by creating a new Google Doc using [this template](https://docs.google.com/document/d/1ol7aVXuXB7XL4DorOoxoDsaSyFI9Pv4Bcc1zfo-iLtw/edit#). We will review your RFC and may ask questions via comments directly on the document. | ||
| 1. You speak with the Sourcegraph Cloud engineering manager for 1 hour about your RFC. | ||
| 1. We schedule 4 hours of remote interviews over video chat across multiple days. | ||
| 1. You write a short security assessment, taking less than **30m** of your time, explaining a security vulnerability. |
There was a problem hiding this comment.
Can you flesh this out more? Is this a security assessment about Sourcegraph or could it be about a past security threat? Can a candidate share something they have already written?
There was a problem hiding this comment.
I'm going to dummy up a template, much like the RFC. The idea is that a candidate would explain a vulnerability for which we provide the appropriate research. The candidate will help explain the vulnerability in plain English. Given the information we provide, they would ideally explain the impact of the vulnerability to the Sourcegraph product. I should have it ready tomorrow afternoon.
|
ping on getting this merged |
|
Adding the sample template now in a google doc. I intend to link to it in this career page.
|
Updated with a sample CVE and changed the timeline. I feel like it was unfair to the candidate. Have a look - I'm pro merging, but wanted to run it by you. |
| 1. You write your first Sourcegraph [RFC](https://about.sourcegraph.com/handbook/communication/rfcs) by creating a new Google Doc using [this template](https://docs.google.com/document/d/1ol7aVXuXB7XL4DorOoxoDsaSyFI9Pv4Bcc1zfo-iLtw/edit#). We will review your RFC and may ask questions via comments directly on the document. | ||
| 1. You speak with the Sourcegraph Cloud engineering manager for 1 hour about your RFC. | ||
| 1. We schedule 4 hours of remote interviews over video chat across multiple days. | ||
| 1. You write a short security assessment, taking less than **1hr** of your time, explaining a security vulnerability [sample problem](https://docs.google.com/document/d/1oXhjU_3y2uhpmWJ2hD0NTaqSanUAOlKDFFmjazAU3Rg/). |
There was a problem hiding this comment.
Please share this doc with the Sourcegraph org so we can suggest/edit/comment. Can you inline instructions into that document?
|
Merging since this is an improvement and I want to move this content to the handbook. I still think the project could use clearer instructions and I left a comment in the doc |
The potential process change is highlighted here. I'm thinking that we can ask new hires to explain a vulnerability, in plain English, and assess it's impact. This will allow us to both gauge their understanding of security, and their ability to communicate. To wit, we would be relying on an existing, public vulnerability, already disclosed in the mitre database, and asking for a two to three paragraph response.