Skip to content

Commit 2e0683d

Browse files
authored
Create incident response docs (#2070)
1 parent fe88ac2 commit 2e0683d

1 file changed

Lines changed: 28 additions & 0 deletions

File tree

docs/INCIDENT_RESPONSE.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# How PostCSS Handles Incidents
2+
3+
## 1. Detection & Triage
4+
5+
We monitor security reports sent via [security outreach](./SECURITY.md), GitHub advisories, issues, and npm notifications.
6+
7+
## 2. Assessment
8+
9+
Check the severity:
10+
11+
- **Critical:** npm package or repo compromised, malicious code, supply chain attack.
12+
- **High:** Vulnerabilities that allow code execution, or leak secrets.
13+
- **Low:** Denial of service or memory leaks when PostCSS is used as a server-side REPL that receives CSS from third parties.
14+
15+
## 3. Response
16+
17+
1. Acknowledge the report (privately if sensitive, publicly if not).
18+
2. For critical/high issues:
19+
1. Deprecate or yank affected npm versions if needed.
20+
2. Rotate any exposed secrets/tokens.
21+
3. Patch the bug or vulnerability.
22+
3. For low issues: patch and document the fix.
23+
24+
## 4. Communication
25+
26+
We will publish update in our Twitter `@postcss` and PostCSS’s wiki.
27+
28+
We will release CVE for Critical/High issues. We prefer to not release CVE for Low issues since we have small number of such users (but could change our minds depends on the issue).

0 commit comments

Comments
 (0)