|
1 | | -# Reporting Security Issues |
| 1 | +# Security Policy |
2 | 2 |
|
3 | | -If you discover a security issue in webpack, please report it by sending an |
4 | | -email to [webpack@opencollective.com](mailto:webpack@opencollective.com). |
| 3 | +## Reporting a Vulnerability |
5 | 4 |
|
6 | | -This will allow us to assess the risk, and make a fix available before we add a |
7 | | -bug report to the GitHub repository. |
| 5 | +Please report security issues **privately**: |
8 | 6 |
|
9 | | -Thanks for helping make webpack safe for everyone. |
| 7 | +- Email: [webpack-security@openjsf.org](mailto:webpack-security@openjsf.org) |
| 8 | + |
| 9 | +**Do not** file public GitHub issues for security problems. |
| 10 | + |
| 11 | +When reporting, please include: |
| 12 | + |
| 13 | +- Affected project/repo and version(s) |
| 14 | +- Impact and component(s) involved |
| 15 | +- Reproduction steps or PoC (if available) |
| 16 | +- Your contact details and preferred credit name |
| 17 | + |
| 18 | +If you do not receive an acknowledgement of your report within **6 business days**, or if you cannot find a private security contact for the project, you may **escalate to the OpenJS Foundation CNA** at `security@lists.openjsf.org`. |
| 19 | + |
| 20 | +If the project acknowledges your report but does not provide any further response or engagement within **14 days**, escalation is also appropriate. |
| 21 | + |
| 22 | +## Coordination & Disclosure |
| 23 | + |
| 24 | +We follow coordinated vulnerability disclosure: |
| 25 | + |
| 26 | +- We will acknowledge your report, assess impact, and work on a fix. |
| 27 | +- We aim to provide status updates until resolution. |
| 28 | +- Once a fix or mitigation is available, we will publish a security advisory (and request a CVE via the OpenJS CNA when applicable). |
| 29 | +- Reporters are credited by default unless you request otherwise. |
| 30 | + |
| 31 | +--- |
| 32 | + |
| 33 | +## Guidelines for Security Testing |
| 34 | + |
| 35 | +When investigating and reporting vulnerabilities, please **do not**: |
| 36 | + |
| 37 | +- Break the law |
| 38 | +- Access or modify data beyond what is needed to demonstrate the issue |
| 39 | +- Use high-intensity or destructive testing tools |
| 40 | +- Attempt denial of service (DoS) attacks |
| 41 | +- Social engineer, phish, or physically attack project members |
| 42 | +- Publicly disclose before we release a fix or advisory |
| 43 | + |
| 44 | +--- |
10 | 45 |
|
11 | 46 | ## Threat Model |
12 | 47 |
|
13 | 48 | For an overview of the security assumptions, potential attack vectors, and areas |
14 | 49 | of concern relevant to webpack, please refer to the |
15 | 50 | [Threat Model](https://github.com/webpack/security-wg/blob/main/docs/threat-model.md). |
16 | 51 |
|
17 | | -## Incident Response Plan |
| 52 | +--- |
| 53 | + |
| 54 | +## Incident Response |
18 | 55 |
|
19 | | -In the event of a security incident, please refer to the |
| 56 | +In the event of a broader security incident, please refer to our |
20 | 57 | [Security Incident Response Plan](https://github.com/webpack/webpack/blob/main/INCIDENT_RESPONSE_PLAN.md). |
0 commit comments