GitScrum / Docs
All Best Practices

Security Task Tracking | SLA-Based Prioritization

Security tasks need SLAs: Critical 24h, High 7d, Medium 30d. GitScrum tracks vulnerabilities with severity labels, private NoteVault docs, and audit-ready remediation logs.

4 min read

How to track security tasks in development projects?

Track security tasks by creating dedicated security labels (security:critical, security:high), handling sensitive vulnerabilities in private notes, documenting remediation in NoteVault for audit trails, and prioritizing security fixes with appropriate urgency. Set SLAs for different severity levels and ensure security tasks don't languish in backlog.

Security severity and SLAs

SeverityDescriptionSLALabel
CriticalActively exploited, data breach24 hourssecurity:critical
HighExploitable, significant impact7 dayssecurity:high
MediumExploitable, limited impact30 dayssecurity:medium
LowMinimal risk, hardening90 dayssecurity:low

Security labels

LabelPurpose
security:criticalImmediate action required
security:highUrgent fix needed
security:mediumStandard priority
security:lowWhen convenient
security:auditAudit-related task
security:complianceCompliance requirement
security:vulnerabilitySpecific vulnerability
security:hardeningProactive improvement

Security task template

## Security: [Generic Title - No Details]

Severity: [Critical/High/Medium/Low]
SLA: [Date]
Reporter: [Scanner/Researcher/Internal]

Private Details: [Link to private NoteVault]

Remediation:
- [ ] Assess impact
- [ ] Develop fix
- [ ] Test fix
- [ ] Deploy to staging
- [ ] Verify remediation
- [ ] Deploy to production
- [ ] Update security documentation

Post-Remediation:
- [ ] Update public task with summary
- [ ] Notify stakeholders if required
- [ ] Close related CVE tracking

Handling confidential vulnerabilities:

  • Create generic task - "Security fix for authentication module"
  • Document privately - Full details in private NoteVault
  • Limit assignees - Only security-cleared developers
  • Avoid details in comments - Keep discussion private
  • Fix and verify - Standard development process
  • Post-remediation disclosure - Update task with safe summary
  • Audit trail - NoteVault revision history for compliance

    • NoteVault security documentation

    # Security Remediation Log

## Active Vulnerabilities (Confidential)
[Link to private tracking]

## Remediated This Quarter

### [Date] - SQL Injection in Search
- Severity: High
- Reported: 2025-01-15
- Fixed: 2025-01-17
- Root cause: Unsanitized user input
- Fix: Parameterized queries
- Verification: Penetration test passed

### [Date] - XSS in Comments
- Severity: Medium
- Reported: 2025-01-10
- Fixed: 2025-01-20
- Root cause: Missing output encoding
- Fix: HTML escaping, CSP headers
- Verification: Security scan clean

    Security workflow

    ColumnSecurity Purpose
    TriageAssess severity, assign SLA
    In ProgressActive remediation
    ReviewSecurity team verification
    StagingTest in staging environment
    ProductionDeployed fix
    VerifiedPost-deployment verification

    Related articles