The following process is a supplement to the first few steps of the critical release process
Once a potential S1/P1 issue is made known. The appsec engineer steps are as follows:
Sometimes the fix is very simple, sometimes it's not. If the impact to users is greater than the time it takes to apply the long-term fix, you will need to consider a short term solution as well as the long term one. Otherwise, if you and the development team are confident the fix is straightforward and simple, then you only need to do the long term fix and roll it out in a critical security release.
Some past short term options have been:
Appsec engineers are not on-call. That means when the assigned appsec engineer end of day arrives, they are responsible for handing it off to a next appsec engineer in a subsequent timezone. If no appsec engineer is available, handoff to the secops engineer on-call.