From 825a1ae95c9c71725f95f142da79e80d526de6e7 Mon Sep 17 00:00:00 2001 From: mkagenius Date: Tue, 14 Apr 2026 12:44:40 +0530 Subject: [PATCH] Add Incident Response Plan (IRP) for vulnerability handling Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- INCIDENT_RESPONSE.md | 69 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 INCIDENT_RESPONSE.md diff --git a/INCIDENT_RESPONSE.md b/INCIDENT_RESPONSE.md new file mode 100644 index 0000000..021c1ae --- /dev/null +++ b/INCIDENT_RESPONSE.md @@ -0,0 +1,69 @@ +# Incident Response Plan (IRP) + +This document outlines how we handle security vulnerabilities. It is a living document. Reporters and stakeholders can use the phases below to understand where we are during an active incident. + +We support two disclosure strategies: + +- **Advisory With Patch** _(default)_: A fix is prepared privately and released alongside a public advisory. +- **Advisory Early** _(rare)_: An advisory is published before a fix is available — used when the vulnerability is already public or actively exploited. + +--- + +## Phase 1 — Triage +_"We're investigating."_ +**Target: within 36 hours of report** + +- Acknowledge receipt to the reporter. +- Reproduce and validate the vulnerability. +- Assess severity: + - **Critical** — Active exploitation or data exposure. Drop everything. + - **High** — Exploitable, no known active exploitation. + - **Medium/Low** — Limited impact or requires unlikely conditions. +- Create a draft [GitHub Security Advisory (GHSA)](https://docs.github.com/en/code-security/security-advisories). +- Decide disclosure strategy (Advisory With Patch or Advisory Early). + +## Phase 2 — Containment +_"We've identified the issue and are limiting its impact."_ +**Target: 1–7 days after triage** + +- Isolate affected systems or services (revoke keys, disable endpoints, pull images). +- Preserve evidence (logs, snapshots) before making changes. +- Scope impact: identify affected components, versions, and platforms. +- Request a CVE via the GitHub advisory interface. +- Communicate status to the reporter. + +## Phase 3 — Fix & Release +_"We're working on a fix."_ +**Target: within 90 days of initial report** + +- Develop and test a patch. +- At least 2 team members review and sign off. +- Publish the GHSA and deploy the fix simultaneously. +- _Advisory Early: update the existing public advisory with fix details._ + +## Phase 4 — Disclosure +_"The fix is live. Here's what happened."_ +**Target: same day as fix release** + +- Notify the reporter that the issue is resolved. +- Credit the reporter (unless they prefer anonymity). +- Verify the published advisory is accurate and complete. +- We follow the industry-standard **90-day coordinated disclosure window**. If a fix cannot ship in 90 days, we coordinate with the reporter on a revised timeline. + +## Phase 5 — Post-Incident Review +_"We're making sure this doesn't happen again."_ +**Target: within 2 weeks of resolution** + +- Document root cause, timeline, and actions taken. +- Identify process or code improvements to prevent recurrence. +- Update this plan if gaps were found. + +--- + +## Contact + +Email: [hello@instavm.io](mailto:hello@instavm.io) + +## Reporting a Vulnerability + +See [SECURITY.md](SECURITY.md). **Do not open public issues.**