Security Playbook¶
Welcome
Ship verifiably secure releases and respond quickly to vulnerabilities. This page covers policy, release integrity, CI, and response.
- Security Policy (SECURITY.md)
Private contact, PGP key, embargo flow, supported versions, backport policy.
- Release Integrity
SemVer, signed artifacts (cosign/GPG), provenance (SLSA), and SBOM per release.
- CI & Protections
Branch protection, required checks, Scorecards in CI, dependency update policy.
- Vulnerability Response
Triage in 48h; fix/mitigation in 7–14 days; private coordination; advisories.
Security Policy (SECURITY.md)¶
- Contact: security@… and PGP key (optional)
- Embargo: intake → triage → coordinated fix → disclosure
- Support: list supported versions and backport windows
Release Integrity¶
- SemVer with clear pre-releases (alpha/beta/rc)
- Signing (cosign/GPG) for all artifacts; publish provenance (SLSA-aligned)
- SBOM per release attached to artifacts
CI / Protections¶
- Branch protection: required reviews & checks; consider signed commits
- OpenSSF Scorecard in CI; track checks like token permissions & pinned deps
- Regular dependency updates; avoid unreviewed auto-merges
Vulnerability Response¶
- Triage within 48 hours; guidance/fix within 7–14 days by severity
- Coordinate with downstreams prior to disclosure
- Publish advisories and changelog entries
Supply-Chain Hygiene¶
- Pin build deps; aim for reproducible builds
- Restrict GitHub Actions tokens & use trusted, reusable workflows
- Avoid fetching unpinned scripts/binaries at build time
Checklists¶
- SECURITY.md with contact + embargo
- Signed releases + provenance + SBOM
- Scorecard CI in place
- Vulnerability response runbook documented