Security Incident Response
Purpose
Handle vulnerability reports with coordinated disclosure, timely patches, and clear communication.
When to Use
- •A security report arrives via advisories or email
- •Dependabot flags a critical/high vulnerability
Steps
- •Acknowledge the report within 24 hours.
- •Validate and assess severity.
- •Develop and test a private fix.
- •Coordinate disclosure timing with the reporter.
- •Publish a patched release and advisory.
- •Announce the resolution and update
SECURITY.mdif needed.
Output Contract
- •Severity is assessed and documented.
- •A patched release is published within SLA.
- •Security advisory and communication are complete.
References
- •
SECURITY.mdfor reporting channels and timelines.