|
| 1 | +# Incident Response Process for **resolve** |
| 2 | + |
| 3 | +## Reporting a Vulnerability |
| 4 | + |
| 5 | +We take the security of **resolve** very seriously. If you believe you’ve found a security vulnerability, please inform us responsibly through coordinated disclosure. |
| 6 | + |
| 7 | +### How to Report |
| 8 | + |
| 9 | +> **Do not** report security vulnerabilities through public GitHub issues, discussions, or social media. |
| 10 | +
|
| 11 | +Instead, please use one of these secure channels: |
| 12 | + |
| 13 | +1. **GitHub Security Advisories** |
| 14 | + Use the **Report a vulnerability** button in the Security tab of the [browserify/resolve repository](https://github.com/browserify/resolve). |
| 15 | + |
| 16 | +2. **Email** |
| 17 | + Follow the posted [Security Policy](https://github.com/browserify/resolve/security/policy). |
| 18 | + |
| 19 | +### What to Include |
| 20 | + |
| 21 | +**Required Information:** |
| 22 | +- Brief description of the vulnerability type |
| 23 | +- Affected version(s) and components |
| 24 | +- Steps to reproduce the issue |
| 25 | +- Impact assessment (what an attacker could achieve) |
| 26 | +- Confirm the issue is not present in test files (in other words, only via the official entry points in `exports`) |
| 27 | + |
| 28 | +**Helpful Additional Details:** |
| 29 | +- Full paths of affected source files |
| 30 | +- Specific commit or branch where the issue exists |
| 31 | +- Required configuration to reproduce |
| 32 | +- Proof-of-concept code (if available) |
| 33 | +- Suggested mitigation or fix |
| 34 | + |
| 35 | +## Our Response Process |
| 36 | + |
| 37 | +**Timeline Commitments:** |
| 38 | +- **Initial acknowledgment**: Within 24 hours |
| 39 | +- **Detailed response**: Within 3 business days |
| 40 | +- **Status updates**: Every 7 days until resolved |
| 41 | +- **Resolution target**: 90 days for most issues |
| 42 | + |
| 43 | +**What We’ll Do:** |
| 44 | +1. Acknowledge your report and assign a tracking ID |
| 45 | +2. Assess the vulnerability and determine severity |
| 46 | +3. Develop and test a fix |
| 47 | +4. Coordinate disclosure timeline with you |
| 48 | +5. Release a security update and publish an advisory and CVE |
| 49 | +6. Credit you in our security advisory (if desired) |
| 50 | + |
| 51 | +## Disclosure Policy |
| 52 | + |
| 53 | +- **Coordinated disclosure**: We’ll work with you on timing |
| 54 | +- **Typical timeline**: 90 days from report to public disclosure |
| 55 | +- **Early disclosure**: If actively exploited |
| 56 | +- **Delayed disclosure**: For complex issues |
| 57 | + |
| 58 | +## Scope |
| 59 | + |
| 60 | +**In Scope:** |
| 61 | +- **resolve** package (all supported versions) |
| 62 | +- Official examples and documentation |
| 63 | +- Core resolution APIs |
| 64 | +- Dependencies with direct security implications |
| 65 | + |
| 66 | +**Out of Scope:** |
| 67 | +- Third-party wrappers or extensions |
| 68 | +- Bundler-specific integrations |
| 69 | +- Social engineering or physical attacks |
| 70 | +- Theoretical vulnerabilities without practical exploitation |
| 71 | +- Issues in non-production files |
| 72 | + |
| 73 | +## Security Measures |
| 74 | + |
| 75 | +**Our Commitments:** |
| 76 | +- Regular vulnerability scanning via `npm audit` |
| 77 | +- Automated security checks in CI/CD (GitHub Actions) |
| 78 | +- Secure coding practices and mandatory code review |
| 79 | +- Prompt patch releases for critical issues |
| 80 | + |
| 81 | +**User Responsibilities:** |
| 82 | +- Keep **resolve** updated |
| 83 | +- Monitor dependency vulnerabilities |
| 84 | +- Follow secure configuration guidelines for module resolution |
| 85 | + |
| 86 | +## Legal Safe Harbor |
| 87 | + |
| 88 | +**We will NOT:** |
| 89 | +- Initiate legal action |
| 90 | +- Contact law enforcement |
| 91 | +- Suspend or terminate your access |
| 92 | + |
| 93 | +**You must:** |
| 94 | +- Only test against your own installations |
| 95 | +- Not access, modify, or delete user data |
| 96 | +- Not degrade service availability |
| 97 | +- Not publicly disclose before coordinated disclosure |
| 98 | +- Act in good faith |
| 99 | + |
| 100 | +## Recognition |
| 101 | + |
| 102 | +- **Advisory Credits**: Credit in GitHub Security Advisories (unless anonymous) |
| 103 | + |
| 104 | +## Security Updates |
| 105 | + |
| 106 | +**Stay Informed:** |
| 107 | +- Subscribe to npm updates for **resolve** |
| 108 | +- Enable GitHub Security Advisory notifications |
| 109 | + |
| 110 | +**Update Process:** |
| 111 | +- Patch releases (e.g., 1.22.10 → 1.22.11) |
| 112 | +- Out-of-band releases for critical issues |
| 113 | +- Advisories via GitHub Security Advisories |
| 114 | + |
| 115 | +## Contact Information |
| 116 | + |
| 117 | +- **Security reports**: Security tab of [browserify/resolve](https://github.com/browserify/resolve/security) |
| 118 | +- **General inquiries**: GitHub Discussions or Issues |
| 119 | + |
0 commit comments