diff --git a/INCIDENT_REPONSE_PLAN.md b/INCIDENT_REPONSE_PLAN.md
new file mode 100644
index 000000000..6affc0721
--- /dev/null
+++ b/INCIDENT_REPONSE_PLAN.md
@@ -0,0 +1,65 @@
+# Webpack Security Incident Response Plan
+
+This document defines how the Webpack project responds to security incidents.  
+ It is intended for maintainers and contributors who may need to coordinate a response.
+
+## Scope
+
+This plan applies to incidents such as:
+
+- Vulnerabilities in Webpack core modules or official tools (e.g., `webpack-cli`, `webpack-dev-server`).
+- Dependency vulnerabilities that impact Webpack users.
+- Premature public disclosure of a vulnerability.
+- Account compromise or supply-chain risks affecting the project.
+
+## Communication Channels
+
+- **Private & Preferred**: [GitHub Security Advisories](https://github.com/webpack/webpack/security/advisories).
+- **Email**: `webpack-security@openjsf.org`.
+- **Public**: GitHub releases, changelog, and advisories (after fix is available).
+
+## Incident Response Workflow
+
+### 1. Report Received
+
+- Reports should be submitted via GitHub Security Advisories (preferred) or private email.
+- **Acknowledgment timelines**:
+  - Standard reports: within **30 days**.
+  - Zero-day or critical vulnerabilities: within **7 days**.
+
+### 2. Triage & Assessment
+
+- Validate whether the report is security-related.
+- Classify severity (critical, high, medium, low).
+- Determine impact and scope (affected versions, configurations, or environments).
+
+### 3. Containment & Private Fix Development
+
+- Create a **private working group** (e.g., GitHub private fork or draft advisory).
+- Explore temporary mitigations if immediate patching is not feasible.
+- Maintain confidentiality during the process.
+
+### 4. Fix & Testing
+
+- Develop and review a fix privately.
+- Add regression tests where applicable.
+- Backport fixes to supported major versions if relevant.
+
+### 5. Release
+
+- Publish a patched release.
+- Publish a security advisory simultaneously, including:
+  - Description of the issue.
+  - Impacted versions.
+  - Severity rating.
+  - Mitigation or upgrade steps.
+
+## Summary Table
+
+| Step            | Action                                          | Responsible Party           |
+| --------------- | ----------------------------------------------- | --------------------------- |
+| Report          | Submit via GH Advisory or email                 | Reporter                    |
+| Acknowledge     | Confirm receipt (30 days / 7 days for critical) | Security Maintainer         |
+| Triage          | Validate and classify severity                  | Security Maintainer         |
+| Containment/Fix | Develop patch privately                         | Core + Security Maintainers |
+| Release         | Publish patch & advisory                        | Security Maintainer         |
diff --git a/SECURITY.md b/SECURITY.md
index 0551ac700..05967ffb6 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -7,3 +7,8 @@ This will allow us to assess the risk, and make a fix available before we add a
 bug report to the GitHub repository.
 
 Thanks for helping make webpack safe for everyone.
+
+## Incident Response Plan
+
+In the event of a security incident, please refer to the
+[Security Incident Response Plan](https://github.com/webpack/webpack/blob/main/INCIDENT_RESPONSE_PLAN.md).