goreleaser/INCIDENT_RESPONSE.md

# Incident Response Plan

This document outlines how the GoReleaser team responds to security incidents,
critical bugs, or operational disruptions that could affect users or the
trustworthiness of the project.

---

## 1. Scope

This plan applies to everything in the
[goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) repository,
including code, releases, and GitHub workflows.

## 2. Roles & Contacts

- **Incident Lead:** By default, [@caarlos0](https://github.com/caarlos0).
- **Security Contact:** All incidents must be reported via only
  [GitHub Security Advisories][gsa].

## 3. Detection & Reporting

**All security incidents are initially considered sensitive.**

They must be reported privately and exclusively through
[GitHub Security Advisories][gsa].

Do not disclose incidents via issues, pull requests, or public channels.

## 4. Initial Response

1. **Acknowledge** the report and thank the reporter.
2. **Assess** the severity and validity. See [CIA][cia].
3. **Engage** other maintainers if needed.
4. **Contain** the issue if possible (revoke credentials, disable workflows).

## 5. Investigation & Mitigation

- **Investigate** root cause and potential impact.
- **Mitigate**:
  - Patch vulnerabilities.
  - Rotate credentials (tokens/keys) if needed.
- **Document** all findings and actions.

## 6. Resolution Timeline

Resolution or assessment will typically be provided within **30 days** of
acknowledgment.

## 7. Communication

All communication regarding security incidents must occur exclusively through
the GitHub Security Advisories page.

Once the incident is resolved, a coordinated disclosure is agreed upon,
and a fix is released, a public summary will be published.
Typically we request a CVE as well.

## 8. Post-Incident

1. **Review** the incident and response.
2. **Update** documentation or automation as needed.
3. **Publish** an advisory for significant incidents.
4. **Credit** everyone involved unless they explicitly ask to remain anonymous.

## 9. References

[SECURITY.md](./SECURITY.md)

[gsa]: https://github.com/goreleaser/goreleaser/security/advisories/new
[cia]: https://www.energy.gov/femp/operational-technology-cybersecurity-energy-systems#cia
docs: irp Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> 2025-09-11 23:10:33 -03:00			`# Incident Response Plan`

			`This document outlines how the GoReleaser team responds to security incidents,`
			`critical bugs, or operational disruptions that could affect users or the`
			`trustworthiness of the project.`

			`---`

			`## 1. Scope`

			`This plan applies to everything in the`
			`[goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) repository,`
			`including code, releases, and GitHub workflows.`

			`## 2. Roles & Contacts`

			`- Incident Lead: By default, [@caarlos0](https://github.com/caarlos0).`
			`- Security Contact: All incidents must be reported via only`
			`[GitHub Security Advisories][gsa].`

			`## 3. Detection & Reporting`

			`All security incidents are initially considered sensitive.`

			`They must be reported privately and exclusively through`
			`[GitHub Security Advisories][gsa].`

			`Do not disclose incidents via issues, pull requests, or public channels.`

			`## 4. Initial Response`

			`1. Acknowledge the report and thank the reporter.`
			`2. Assess the severity and validity. See [CIA][cia].`
			`3. Engage other maintainers if needed.`
			`4. Contain the issue if possible (revoke credentials, disable workflows).`

			`## 5. Investigation & Mitigation`

			`- Investigate root cause and potential impact.`
			`- Mitigate:`
			`- Patch vulnerabilities.`
			`- Rotate credentials (tokens/keys) if needed.`
			`- Document all findings and actions.`

			`## 6. Resolution Timeline`

			`Resolution or assessment will typically be provided within 30 days of`
			`acknowledgment.`

			`## 7. Communication`

			`All communication regarding security incidents must occur exclusively through`
			`the GitHub Security Advisories page.`

			`Once the incident is resolved, a coordinated disclosure is agreed upon,`
			`and a fix is released, a public summary will be published.`
			`Typically we request a CVE as well.`

			`## 8. Post-Incident`

			`1. Review the incident and response.`
			`2. Update documentation or automation as needed.`
			`3. Publish an advisory for significant incidents.`
			`4. Credit everyone involved unless they explicitly ask to remain anonymous.`

			`## 9. References`

			`[SECURITY.md](./SECURITY.md)`

			`[gsa]: https://github.com/goreleaser/goreleaser/security/advisories/new`
			`[cia]: https://www.energy.gov/femp/operational-technology-cybersecurity-energy-systems#cia`