About Security Bug reporting

Do not fix, if there is no payer for the job

• Detect Possible Security Issues
• Evaluate possible fixes available
• Estimate how much time is needed to fix the Issues (eg 1h - 25 h)!
• Use link of vulnerability and add it to Bug report issue
• Make sure all reported bugs are found from backlog first
• Start fixing bugs in development phase only! Do not do extra work!!

IF you have several issues you should count workhours together

Eg. Bug#10 (10h) + Bug #45(2h) + Bug#66(15h) = Cumulative work hours 27 h for fixing three bugs!

In case of EPIC (Security Fixes) you should be not take just bunch of bugs. Estimate which bugs you can handle

How to link vulnerability link to Bug report in Issue tracker