docs/security/incident-playbook.md
This playbook provides step-by-step procedures for handling security incidents in React Starter Kit projects. Each procedure includes specific actions, tools, and decision criteria.
[email protected]Use this decision tree to classify incidents:
Is remote code execution possible?
├─ Yes → CRITICAL (P0)
└─ No → Can authentication be bypassed?
├─ Yes → CRITICAL (P0)
└─ No → Is sensitive data exposed?
├─ Yes (all users) → CRITICAL (P0)
├─ Yes (subset) → HIGH (P1)
└─ No → Is privilege escalation possible?
├─ Yes → HIGH (P1)
└─ No → Is XSS present?
├─ Yes (auth flow) → HIGH (P1)
├─ Yes (other) → MEDIUM (P2)
└─ No → Is CSRF possible?
├─ Yes → MEDIUM (P2)
└─ No → LOW (P3)
Actions:
Send acknowledgment email with template:
Subject: [RSK-SEC-YYYY-NNN] Security Report Received
Thank you for your security report. We have received your submission
and assigned tracking ID: RSK-SEC-YYYY-NNN
We will begin our initial assessment and respond within [TIMEFRAME].
Please keep this vulnerability confidential while we investigate.
Create private GitHub issue for tracking
Assign initial responder
Tools: Email client, GitHub Issues (private)
Actions:
Decision Points:
For Critical/High severity:
For Medium/Low severity:
Actions:
Checklist:
Actions:
Template for Security Bulletin:
## Security Bulletin: [TITLE]
**Date**: [DATE]
**Severity**: [CRITICAL/HIGH]
**Status**: Under Investigation
### Summary
We are investigating a security vulnerability in React Starter Kit.
### Temporary Mitigation
Until a patch is available, users should:
1. [Specific mitigation steps]
2. [Additional steps]
### Timeline
- Patch expected: [DATE]
- Full disclosure: After patch
### Contact
Report issues to: `[email protected]`
Actions:
Code Review Checklist:
Test Environments:
Test Cases:
Actions:
CVE Request Template:
[Contact GitHub Security for CVE]
Repository: react-starter-kit
Vulnerability Type: [TYPE]
Affected Versions: < X.Y.Z
Fixed Version: X.Y.Z
Description: [DESCRIPTION]
Release Checklist:
Actions:
Security Advisory Template:
## [CVE-YYYY-NNNNN] [Vulnerability Title]
**Severity**: [Critical/High/Medium/Low]
**Affected Versions**: < X.Y.Z
**Patched Version**: X.Y.Z
### Description
[Clear description of vulnerability]
### Impact
[Potential impact on users]
### Patches
Update to version X.Y.Z or later.
### Workarounds
[If any temporary workarounds exist]
### References
- [Links to fixes]
- [Links to documentation]
### Credit
Reported by [Name] ([Organization])
For Critical vulnerabilities:
Communication Template:
Subject: [ACTION REQUIRED] Security Update for React Starter Kit
A critical security vulnerability has been discovered and patched.
Action Required:
1. Update to version X.Y.Z immediately
2. Review security advisory: [LINK]
3. Apply any additional mitigations
Details: [BRIEF DESCRIPTION]
Questions: `[email protected]`
Meeting Agenda:
Questions to Answer:
Common Improvements:
Update as needed:
bun audit, DependabotSubject: Re: [RSK-SEC-YYYY-NNN] Status Update
Thank you for your patience. Here's an update on your report:
Status: [In Progress/Testing Fix/Ready for Release]
Severity: [Confirmed as X]
Timeline: [Expected resolution date]
[Any questions for reporter]
We'll notify you before public disclosure.
Subject: [URGENT] Critical Security Issue - Immediate Action Required
A critical vulnerability has been reported:
Tracking: RSK-SEC-YYYY-NNN
Type: [Vulnerability type]
Impact: [Brief impact description]
Status: [Confirmed/Under Investigation]
Required Actions:
1. [Immediate actions needed]
2. [Review assignments]
Details in private issue: [Link]
Subject: Security Release Scheduled - [DATE]
Security release details:
Version: X.Y.Z
Release Date: [DATE TIME UTC]
Severity: [Level]
CVE: [If assigned]
Pre-release checklist:
- [ ] Code reviewed and tested
- [ ] Advisory prepared
- [ ] Reporter notified
- [ ] Release notes ready
Please confirm readiness by [DATE].
This playbook is a living document. Update it based on lessons learned from each incident.