Skip to content

S19.05: Vulnerability triage runbook #581

Description

@DavidCozens

Parent epic: #155

Deliver docs/security/triage-runbook.md — the executable six-stage vulnerability-response runbook per E19 (#155).

Six stages

  1. Receipt (0–72h): log the report, auto-ack from form, human ack within 72h.
  2. Triage (0–7d): scope (Core/Platform/Bdd/out-of-repo), reproduce, assign CVSS v3.1, draft GHSA, request CVE, decide public vs private fix, update reporter.
  3. Fix development: regression test first (TDD); fix; Conventional Commit updates CHANGELOG via release-please.
  4. Release coordination: merge fix; merge release-please PR; release.published attaches SBOM + signatures; publish GHSA coordinated with release.
  5. Post-release: notify reporter, credit per consent, close tracking.
  6. Retrospective: how the bug got in, did tests catch it, process gaps, similar-class issues.

Also cover

  • Reporter comms cadence (update at each stage transition).
  • Out-of-scope / incorrect / intended-behaviour reports.
  • Upstream-dependency root cause; self-reported issues (same flow, no external reporter).
  • Maintainer unavailability: short-term (SLAs + force-majeure), medium-term (holding statement + cover), long-term (triggers continuity relicensing).
  • Evidence retention: GitHub retains published GHSAs, release assets, SBOMs, signatures, and history indefinitely — that is the CRA 10-year evidence store; state this explicitly.

Acceptance

Runbook present; maintainer can execute an end-to-end response from it without external references.

Metadata

Metadata

Assignees

No one assigned

    Labels

    storyStory issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions