docs/incident-response-plan.md
We monitor GitHub advisories, GitHub issues, the Gleam Discord, and emails to [email protected] for security reports and bugs that may have security implications.
If we spot a bug or report that looks like a security risk, we treat it as an incident.
First we verify the accuracy of the report and evaluate its impact.
The security team of the Erlang Ecosystem Foundation may be contacted for assistance.
Within 3 days of the report, we will acknowledge it, privately if the vulnerability is sensitive. We follow a 90-day disclosure timeline.
A fix will be privately developed and backported to currently active versions of the project.
If the issue is confirmed as a vulnerability, we will open a GitHub Security Advisory that will be published at the same time as the fix for the vulnerability.
The advisory will detail the vulnerability and provide a way for users to determine if they are impacted by the vulnerability.
After fixing the issue, we review the circumstances that led to the vulnerability and evaluate what we could improve in our systems and processes to prevent similar vulnerabilities in future.