You've already forked goreleaser
mirror of
https://github.com/goreleaser/goreleaser.git
synced 2025-10-08 23:12:05 +02:00
docs: irp
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
This commit is contained in:
71
INCIDENT_RESPONSE.md
Normal file
71
INCIDENT_RESPONSE.md
Normal file
@@ -0,0 +1,71 @@
|
||||
# Incident Response Plan
|
||||
|
||||
This document outlines how the GoReleaser team responds to security incidents,
|
||||
critical bugs, or operational disruptions that could affect users or the
|
||||
trustworthiness of the project.
|
||||
|
||||
---
|
||||
|
||||
## 1. Scope
|
||||
|
||||
This plan applies to everything in the
|
||||
[goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) repository,
|
||||
including code, releases, and GitHub workflows.
|
||||
|
||||
## 2. Roles & Contacts
|
||||
|
||||
- **Incident Lead:** By default, [@caarlos0](https://github.com/caarlos0).
|
||||
- **Security Contact:** All incidents must be reported via only
|
||||
[GitHub Security Advisories][gsa].
|
||||
|
||||
## 3. Detection & Reporting
|
||||
|
||||
**All security incidents are initially considered sensitive.**
|
||||
|
||||
They must be reported privately and exclusively through
|
||||
[GitHub Security Advisories][gsa].
|
||||
|
||||
Do not disclose incidents via issues, pull requests, or public channels.
|
||||
|
||||
## 4. Initial Response
|
||||
|
||||
1. **Acknowledge** the report and thank the reporter.
|
||||
2. **Assess** the severity and validity. See [CIA][cia].
|
||||
3. **Engage** other maintainers if needed.
|
||||
4. **Contain** the issue if possible (revoke credentials, disable workflows).
|
||||
|
||||
## 5. Investigation & Mitigation
|
||||
|
||||
- **Investigate** root cause and potential impact.
|
||||
- **Mitigate**:
|
||||
- Patch vulnerabilities.
|
||||
- Rotate credentials (tokens/keys) if needed.
|
||||
- **Document** all findings and actions.
|
||||
|
||||
## 6. Resolution Timeline
|
||||
|
||||
Resolution or assessment will typically be provided within **30 days** of
|
||||
acknowledgment.
|
||||
|
||||
## 7. Communication
|
||||
|
||||
All communication regarding security incidents must occur exclusively through
|
||||
the GitHub Security Advisories page.
|
||||
|
||||
Once the incident is resolved, a coordinated disclosure is agreed upon,
|
||||
and a fix is released, a public summary will be published.
|
||||
Typically we request a CVE as well.
|
||||
|
||||
## 8. Post-Incident
|
||||
|
||||
1. **Review** the incident and response.
|
||||
2. **Update** documentation or automation as needed.
|
||||
3. **Publish** an advisory for significant incidents.
|
||||
4. **Credit** everyone involved unless they explicitly ask to remain anonymous.
|
||||
|
||||
## 9. References
|
||||
|
||||
[SECURITY.md](./SECURITY.md)
|
||||
|
||||
[gsa]: https://github.com/goreleaser/goreleaser/security/advisories/new
|
||||
[cia]: https://www.energy.gov/femp/operational-technology-cybersecurity-energy-systems#cia
|
@@ -26,5 +26,3 @@ Vulnerabilities can be disclosed in private using
|
||||
|
||||
For issues specific to GoReleaser Pro, please refer to
|
||||
[this instead](https://github.com/goreleaser/goreleaser-pro/security/policy).
|
||||
|
||||
Thanks!
|
||||
|
Reference in New Issue
Block a user