Security report runbook¶
Use this when a vulnerability is reported privately.
First hour¶
- Acknowledge receipt privately.
- Do not discuss details in public issues or pull requests.
- Preserve the original report and reporter contact.
- Triage affected versions, exploitability, and whether the issue is runtime or development-only.
Investigation¶
- Reproduce the issue in a private branch or fork.
- Identify the smallest safe fix.
- Add a regression test when possible.
-
Run:
make check make test-matrix
Remediation¶
- Prepare a private advisory if supported by the host.
- Coordinate disclosure timing with the reporter.
- Release patched versions.
- Publish the advisory with affected versions and mitigation guidance.
- Credit the reporter if they want credit.
If credentials are involved¶
Immediately rotate or revoke the credential, then follow the incident-response runbook.