mirror of https://github.com/webpack/webpack.git
docs: add incident response plan (#19841)
This commit is contained in:
Rafael Gonzaga
GitHub
parent
2d25a95d8c
commit
deac8ba5e1
|
|
@ -0,0 +1,65 @@
|
||||||
|
# Webpack Security Incident Response Plan
|
||||||
|
|
||||||
|
This document defines how the Webpack project responds to security incidents.
|
||||||
|
It is intended for maintainers and contributors who may need to coordinate a response.
|
||||||
|
|
||||||
|
## Scope
|
||||||
|
|
||||||
|
This plan applies to incidents such as:
|
||||||
|
|
||||||
|
- Vulnerabilities in Webpack core modules or official tools (e.g., `webpack-cli`, `webpack-dev-server`).
|
||||||
|
- Dependency vulnerabilities that impact Webpack users.
|
||||||
|
- Premature public disclosure of a vulnerability.
|
||||||
|
- Account compromise or supply-chain risks affecting the project.
|
||||||
|
|
||||||
|
## Communication Channels
|
||||||
|
|
||||||
|
- **Private & Preferred**: [GitHub Security Advisories](https://github.com/webpack/webpack/security/advisories).
|
||||||
|
- **Email**: `webpack-security@openjsf.org`.
|
||||||
|
- **Public**: GitHub releases, changelog, and advisories (after fix is available).
|
||||||
|
|
||||||
|
## Incident Response Workflow
|
||||||
|
|
||||||
|
### 1. Report Received
|
||||||
|
|
||||||
|
- Reports should be submitted via GitHub Security Advisories (preferred) or private email.
|
||||||
|
- **Acknowledgment timelines**:
|
||||||
|
- Standard reports: within **30 days**.
|
||||||
|
- Zero-day or critical vulnerabilities: within **7 days**.
|
||||||
|
|
||||||
|
### 2. Triage & Assessment
|
||||||
|
|
||||||
|
- Validate whether the report is security-related.
|
||||||
|
- Classify severity (critical, high, medium, low).
|
||||||
|
- Determine impact and scope (affected versions, configurations, or environments).
|
||||||
|
|
||||||
|
### 3. Containment & Private Fix Development
|
||||||
|
|
||||||
|
- Create a **private working group** (e.g., GitHub private fork or draft advisory).
|
||||||
|
- Explore temporary mitigations if immediate patching is not feasible.
|
||||||
|
- Maintain confidentiality during the process.
|
||||||
|
|
||||||
|
### 4. Fix & Testing
|
||||||
|
|
||||||
|
- Develop and review a fix privately.
|
||||||
|
- Add regression tests where applicable.
|
||||||
|
- Backport fixes to supported major versions if relevant.
|
||||||
|
|
||||||
|
### 5. Release
|
||||||
|
|
||||||
|
- Publish a patched release.
|
||||||
|
- Publish a security advisory simultaneously, including:
|
||||||
|
- Description of the issue.
|
||||||
|
- Impacted versions.
|
||||||
|
- Severity rating.
|
||||||
|
- Mitigation or upgrade steps.
|
||||||
|
|
||||||
|
## Summary Table
|
||||||
|
|
||||||
|
| Step | Action | Responsible Party |
|
||||||
|
| --------------- | ----------------------------------------------- | --------------------------- |
|
||||||
|
| Report | Submit via GH Advisory or email | Reporter |
|
||||||
|
| Acknowledge | Confirm receipt (30 days / 7 days for critical) | Security Maintainer |
|
||||||
|
| Triage | Validate and classify severity | Security Maintainer |
|
||||||
|
| Containment/Fix | Develop patch privately | Core + Security Maintainers |
|
||||||
|
| Release | Publish patch & advisory | Security Maintainer |
|
||||||
|
|
@ -7,3 +7,8 @@ This will allow us to assess the risk, and make a fix available before we add a
|
||||||
bug report to the GitHub repository.
|
bug report to the GitHub repository.
|
||||||
|
|
||||||
Thanks for helping make webpack safe for everyone.
|
Thanks for helping make webpack safe for everyone.
|
||||||
|
|
||||||
|
## Incident Response Plan
|
||||||
|
|
||||||
|
In the event of a security incident, please refer to the
|
||||||
|
[Security Incident Response Plan](https://github.com/webpack/webpack/blob/main/INCIDENT_RESPONSE_PLAN.md).
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue