Vulnerability Response Runbook¶
Public reporting guidance lives in SECURITY.md. This page documents the maintainer workflow after a private report arrives.
Triage¶
- Acknowledge receipt within 48 hours where practical.
- Reproduce or bound the report.
- Identify affected versions, supported versions, and attacker capabilities.
- Assign severity.
- Decide whether an embargo is needed.
Severity Rubric¶
| Severity | Examples |
|---|---|
| Critical | credential disclosure, host key verification bypass, remote code execution in supported usage |
| High | SFTP data corruption with security impact, exploitable dependency in runtime path |
| Medium | denial of service, malformed input crash, unsafe diagnostic leakage |
| Low | hardening issue, incomplete warning, low-impact dependency advisory |
GHSA and CVE Handling¶
Use GitHub Security Advisories for private coordination. Request a CVE when the issue affects released versions and has meaningful downstream security impact.
Patch Release Flow¶
- Prepare a private or minimal public fix branch.
- Add regression coverage when safe.
- Run security, unit, integration, and release dry-run checks.
- Publish a patch release through the documented release process.
- Publish advisory details after fixed artifacts are available.
Reporter Communication¶
Keep communication concise:
- acknowledgement
- affected scope
- expected fix path
- disclosure timing
- credit preference when disclosure happens
Do not request exploit details in public issues.