INCIDENT_RESPONSE.md
Repository: github.com/onnx/onnx | License: Apache 2.0 | Last Reviewed: April 2026
This plan defines how the ONNX team receives vulnerability reports, assesses severity, ships fixes, and communicates with the community.
Severity is based on CVSS scores (v4.0 or v3.1) and assessed case by case. The security team (the GitHub team with access to private advisories) decides per incident whether the fix warrants an out-of-cycle patch release or can be included in the next scheduled release.
Not every report results in a CVE. A CVE is issued when there is a confirmed, exploitable vulnerability with real-world impact. Reports describing expected behavior, unrealistic preconditions, or issues outside the project's threat model may be closed without a CVE.
| Phase | Security Action |
|---|---|
| Start of quarter | Review open advisories. Update this IRP. |
| Mid-quarter | Develop fixes. Backport critical patches. |
| Release candidate | Final security review. Dependency audit. |
| Release | Note security fixes in changelog. Close advisories. |
Out-of-cycle releases are triggered for confirmed Critical/High vulnerabilities or active exploitation.
The escalation path will be confirmed and documented here.
This is a living document, reviewed at the start of every quarterly release cycle. It fulfills the OpenSSF OSPS Baseline requirement for coordinated vulnerability disclosure and incident response.