High-level security incident response handling process
The goal of this high-level process is to identify what needs to be done for a security response, and who can help making it happen.
| 1. Awareness | |||
|---|---|---|---|
| Task | Duration | Who can do it | Notes |
| Make security team aware | - | Whoever being aware about security issue | Its important to handle the issue properly from the beginning. |
| 2. Identification | |||
| Task | Duration | Who can do it | Notes |
| Analyze report | - | Security response team | Assess incoming reports for validity and potential severity. |
| 3. Assesment | |||
| Task | Duration | Who can do it | Notes |
| Impact evaluation | - | Security response team | Determine the potential impact on users and the project (e.g., data exposure, remote code execution). |
| Risk categorization | - | Security response team | Assign severity levels (e.g., Critical, High, Medium, Low) using frameworks like CVSS. |
| Confirm the issue | - | Security response team | Reproduce the issue in a controlled environment to confirm its validity. |
| 4. Containment | |||
| Task | Duration | Who can do it | Notes |
| Prevent further exploitation | - | - | Take immediate action to limit the incident’s impact (e.g., temporarily disabling a vulnerable feature, service) |
| Communicate internally | - | Security response team | Notify relevant maintainers, sysadmins to coordinate the response |
| 5. Remediation | |||
| Task | Duration | Who can do it | Notes |
| Fix the vulnerability | - | - | Patch the issue in the codebase and thoroughly test the fix |
| Backport fixes | - | - | Apply fixes to older supported versions, if necessary |
| 6. Disclosure | |||
| Task | Duration | Who can do it | Notes |
| Communicate with reporter | - | Security response team | Notify the reporter of the fix and thank them for their contribution. |
| Submit CVE | - | Security response team | If applicable, request a CVE ID for tracking and disclosure |
| Publish security advisory on wiki | - | Security response team | Use previous advisories as template |
| Publish advisory to mailing list | - | Security response team | Use previous emails as template, GPG sign email! |
| Publish advisory on forum | - | Security response team | Use previous posts as template, probably makes sense always for remotely exploitable or critical vulnerabilities. |