Security - How we manage our work

Our processes are in a period of change, so if in doubt, please reach out to us directly in Slack at #security.



  1. Goals are something we strive for, whilst tracking and communicating progress.
  2. A work item is a piece of work (e.g., writing code, hiring a new teammate, deploying a new tool) that makes progress toward achieving a goal.
  3. Releases may be made up of N workitems, that may impact Y goals. Whilst this is true, we communicate both internally and externally progress towards those goals.
  4. Security by its various nature has constraints on how public it’s work can be. The Security team are currently trialing Jira for our execution of work - work in Jira is not currently visible, but out high level plans are still public.
  5. Work items can still be raised by anyone in the (main repo and private workitems (security repo) can be created in. Over time workitems should move from the private repository to the public repository once they can be made public. The ideal goal state is the lack of a private security repository.

Process Overview

Planning & Roadmap

  1. We plan iterations and features (prior to their execution) in a team planning session.
  2. We set one or more goals for the iteration.
  3. We write RFCs and solicit feedback (ideally), prior to the start of an iteration, but especially with forethought in mind.
  4. We hold weekly team syncs and track them here.
  5. We follow the Poker-Planning methodology for assigning story points.

ProductBoard serves as our tool for oversight and higher level planning.

In it, you can find:

Work stays in ProductBoard until it qualifies from “we might do this” to “we are going to”. At that point, things transition over into Jira for more detailed planning and execution.


Jira is intended only for planned work.

  • Big work
    • Stuff we’re going to do makes it into here via ProductBoard, where it gets broken down, ordered, and prioritized against other commited stuff
  • Small items that don’t fit with the strategic roadmap, but that need to be done soon
  • Bugs
  • Asks from internal teams (e.g. support or consultation)