Added severity guidelines for security

1 files changed, 21 insertions, 12 deletions

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 3a13b804319..65dc2281dd5 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -210,21 +210,21 @@ This label documents the planned timeline & urgency which is used to measure aga
 
 | Label | Meaning         | Estimate time to fix                                             | Guidance |
 |-------|-----------------|------------------------------------------------------------------|----------|
-| ~P1   | Immediate       | Immediate hotfix to production                                   | This would normally correspond to a S1 severity below |
+| ~P1   | Immediate       | Immediate hotfix (outside of the normal release process)         | This would normally correspond to a S1 severity below |
 | ~P2   | Urgent Priority | The current release                                              |  |
-| ~P3   | High Priority   | The next release                                                 |  |
-| ~P4   | Medium Priority | Within the next 3 releases (1 quarter duration)                  |  |
-| ~P5   | Low Priority    | Anything outside the next 3 releases (the next quarter duration) | The issue is prominent but does not impact user workflow and a workaround if any is well documented  |
+| ~P3   | High Priority   | The next release after the current release                       |  |
+| ~P4   | Medium Priority | Within the next 3 releases (approx one quarter)                  |  |
+| ~P5   | Low Priority    | Anything outside the next 3 releases (approx beyond one quarter) | The issue is prominent but does not impact user workflow and a workaround is documented  |
 
-#### Team specific priority guidance
+#### Specific Priority guidance
 
-| Label | Availability / Performance                                   | Security | 
-|-------|--------------------------------------------------------------|----------|
-| ~P1   |                                                              |          |
-| ~P2   | The issue is (almost) guaranteed to occur in the near future |          |
-| ~P3   | The issue is likely to occur in the near future              |          |
-| ~P4   | The issue _may_ occur but it's not likely                    |          |
-| ~P5   |          |          |
+| Label | Availability / Performance                                   | 
+|-------|--------------------------------------------------------------|
+| ~P1   |                                                              | 
+| ~P2   | The issue is (almost) guaranteed to occur in the near future |  
+| ~P3   | The issue is likely to occur in the near future              |
+| ~P4   | The issue _may_ occur but it's not likely                    |
+| ~P5   |          |
 
 ### Bug Severity labels (~S1, ~S2, ~S3 & etc.)
 
@@ -237,6 +237,15 @@ Severity labels help us clearly communicate the impact of a ~bug on users.
 | ~S3   | Major Severity    | Broken Feature, workaround acceptable                 | Can create merge requests only from the Merge Requests page, not through the Issue. |
 | ~S4   | Low Severity      | Functionality inconvenience or cosmetic issue         | Label colors are incorrect / not being displayed. |
 
+#### Specific Severity guidance
+
+| Label | Security Impact                                                   | 
+|-------|-------------------------------------------------------------------|
+| ~S1   | >50% customers impacted (possible company extinction level event) | 
+| ~S2   | Multiple customers impacted (but not apocalyptic)                 |  
+| ~S3   | A single customer impacted                                        |
+| ~S4   | No customer impact, or expected impact within 30 days             |
+
 ### Label for community contributors (~"Accepting Merge Requests")
 
 Issues that are beneficial to our users, 'nice to haves', that we currently do