- Reporting vulnerabilities
- Security Point of Contact
- Incident Response Process
- Additional Information
Pull requests to improve this document are welcome and appreciated.
DO NOT CREATE AN ISSUE to report a vulnerability.
Instead, please send an email to [email protected]. See Responsible Disclosure for more details.
After you send an email to [email protected], you should receive a response from Jon Schlinkert or Brian Woodward within one business day.
When incidents are discovered or reported, we adhere to the following process to contain, respond and remediate:
The first step is to find out the root cause, nature and scope of the incident.
- Is it still ongoing? If yes, first priority is to fix it.
- Is the incident outside of our control or influence? If yes, first priority is to contain it.
- Find out knows about the incident and who is affected.
After the initial assessment and containment to our best abilities, we will document all actions taken, in one or all of the following documents, depending on the nature and severity of the issue:
- CHANGELOG
- Dedicated issue (pinned if necessary)
- Deprecation notice(s) for any versions affected by the issue
When applicable, once the incident is confirmed to be resolved, we will summarize the lessons learned from the incident and create a list of actions we will take to prevent it from happening again.
All helpers projects are:
- open source
- made available under the permissive copy-left MIT License
- supported by software developers in their free time
You can learn about critical software updates and security threats from these sources:
- GitHub Security Alerts
- Greenkeeper Dependency Updates
- GitHub: https://status.github.com/ & @githubstatus
- Zeit (Hosting): https://zeit-status.co/ & @zeit_status
- Travis (CI/CD): https://www.traviscistatus.com/ & @traviscistatus