Vulnerability Disclosure Process
Reporting
Security vulnerabilities should be reported via GitHub's private vulnerability reporting feature. Navigate to the repository Security tab and select "Report a vulnerability."
Do not open a public issue for security vulnerabilities.
Response SLAs
| Severity | Acknowledge | Triage | Fix |
|---|---|---|---|
| Critical | 24 hours | 48 hours | 7 days |
| High | 48 hours | 5 days | 14 days |
| Medium | 5 days | 10 days | 30 days |
| Low | 10 days | 30 days | Next release |
Triage Process
- Acknowledge receipt to the reporter
- Reproduce the vulnerability
- Assess severity using CVSS or equivalent
- Determine affected components and blast radius
- Create a private fix branch
- Test the fix
- Merge and release
- Notify the reporter
- Publish advisory if applicable
Scope
This process covers:
- The repository code and configuration
- GitHub Actions workflows
- Dependencies (npm and Python)
- The deployed site (chrisnewcomb.name)
- Cloudflare configuration
Coordination
For vulnerabilities in upstream dependencies (Docusaurus, npm packages), the process is:
- Check if a patch exists upstream
- If yes, update the dependency
- If no, document as accepted risk in SECURITY.md with mitigation details
- Monitor upstream for a fix
SECURITY.md
The root-level SECURITY.md file provides the public-facing reporting instructions and must stay in sync with this document. Updates to the disclosure process should be reflected in both locations.