You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _articles/security-best-practices-for-your-project.md
+10-8Lines changed: 10 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -96,7 +96,9 @@ If you're new to this, the [OWASP Threat Modeling Process](https://owasp.org/www
96
96
97
97
Publishing a basic threat model alongside your security policy improves clarity for everyone.
98
98
99
-
### Prepare a lightweight incident response process
99
+
## Prepare a lightweight incident response process
100
+
101
+
Most vulnerabilities are discovered by researchers and reported privately. But sometimes, an issue is already being exploited in the wild before it reaches you. When this happens, your downstream consumers are the ones at risk, and having a lightweight, well-defined incident response plan can make a critical difference.
@@ -106,22 +108,22 @@ Publishing a basic threat model alongside your security policy improves clarity
106
108
</p>
107
109
</aside>
108
110
109
-
Once you receive a vulnerability report, what happens next?
111
+
Even when a vulnerability is reported privately, the next steps matter. Once you receive a vulnerability report or detect suspicious activity, what happens next?
110
112
111
-
Having a basic incident response plan, even a simple checklist, helps you stay calm and act efficiently when time matters. It also shows users and researchers that you take reports seriously.
113
+
Having a basic incident response plan, even a simple checklist, helps you stay calm and act efficiently when time matters. It also shows users and researchers that you take incidents and reports seriously.
112
114
113
115
Your process doesn't have to be complex. At minimum, define:
114
116
115
-
* Who reviews and triages security reports
116
-
* How you evaluate severity and decide on mitigation
117
-
* What steps you take to prepare a fix and publish a disclosure
118
-
* How you notify affected usersor contributors, if needed
117
+
* Who reviews and triages security reports or alerts
118
+
* How severity is evaluated and how mitigation decisions are made
119
+
* What steps you take to prepare a fix and coordinate disclosure
120
+
* How you notify affected users, contributors, or downstream consumers, if needed
119
121
120
122
Coordinated disclosure works best when there's a clear plan. Publishing this (or linking to it) in your `SECURITY.md` file can help set expectations and build trust.
121
123
122
124
For inspiration, the [Express.js Security WG](https://github.com/expressjs/security-wg/blob/main/docs/incident_response_plan.md) provides a simple but effective example of an open source incident response plan.
123
125
124
-
This plan can evolve as your project grows, but having a basic framework in place now can save time and reduce mistakes later.
126
+
This plan can evolve as your project grows, but having a basic framework in place now can save time and reduce mistakes during a real incident.
0 commit comments