From 11d557316a9b39b5c2c589512bd8834e86f3552c Mon Sep 17 00:00:00 2001 From: Carlos Alexandro Becker Date: Thu, 11 Sep 2025 23:10:33 -0300 Subject: [PATCH] docs: irp Signed-off-by: Carlos Alexandro Becker --- INCIDENT_RESPONSE.md | 71 ++++++++++++++++++++++++++++++++++++++++++++ SECURITY.md | 2 -- 2 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 INCIDENT_RESPONSE.md diff --git a/INCIDENT_RESPONSE.md b/INCIDENT_RESPONSE.md new file mode 100644 index 000000000..a3f97b9ce --- /dev/null +++ b/INCIDENT_RESPONSE.md @@ -0,0 +1,71 @@ +# Incident Response Plan + +This document outlines how the GoReleaser team responds to security incidents, +critical bugs, or operational disruptions that could affect users or the +trustworthiness of the project. + +--- + +## 1. Scope + +This plan applies to everything in the +[goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) repository, +including code, releases, and GitHub workflows. + +## 2. Roles & Contacts + +- **Incident Lead:** By default, [@caarlos0](https://github.com/caarlos0). +- **Security Contact:** All incidents must be reported via only + [GitHub Security Advisories][gsa]. + +## 3. Detection & Reporting + +**All security incidents are initially considered sensitive.** + +They must be reported privately and exclusively through +[GitHub Security Advisories][gsa]. + +Do not disclose incidents via issues, pull requests, or public channels. + +## 4. Initial Response + +1. **Acknowledge** the report and thank the reporter. +2. **Assess** the severity and validity. See [CIA][cia]. +3. **Engage** other maintainers if needed. +4. **Contain** the issue if possible (revoke credentials, disable workflows). + +## 5. Investigation & Mitigation + +- **Investigate** root cause and potential impact. +- **Mitigate**: + - Patch vulnerabilities. + - Rotate credentials (tokens/keys) if needed. +- **Document** all findings and actions. + +## 6. Resolution Timeline + +Resolution or assessment will typically be provided within **30 days** of +acknowledgment. + +## 7. Communication + +All communication regarding security incidents must occur exclusively through +the GitHub Security Advisories page. + +Once the incident is resolved, a coordinated disclosure is agreed upon, +and a fix is released, a public summary will be published. +Typically we request a CVE as well. + +## 8. Post-Incident + +1. **Review** the incident and response. +2. **Update** documentation or automation as needed. +3. **Publish** an advisory for significant incidents. +4. **Credit** everyone involved unless they explicitly ask to remain anonymous. + +## 9. References + +[SECURITY.md](./SECURITY.md) + +[gsa]: https://github.com/goreleaser/goreleaser/security/advisories/new +[cia]: https://www.energy.gov/femp/operational-technology-cybersecurity-energy-systems#cia diff --git a/SECURITY.md b/SECURITY.md index 607573c98..e0e87deef 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -26,5 +26,3 @@ Vulnerabilities can be disclosed in private using For issues specific to GoReleaser Pro, please refer to [this instead](https://github.com/goreleaser/goreleaser-pro/security/policy). - -Thanks!