This plan outlines how the OpenJS Foundation facilitates and coordinates responses to security incidents affecting supported projects.
The Foundation acts as a facilitator and coordinator, not as the primary incident responder. Our focus is to unblock projects and reduce risk by:
- Connecting the right people and resources
- Coordinating communication between affected parties
- Providing guidance on best practices and mitigation strategies
- Facilitating access to subject matter experts
- Ensuring incidents follow responsible disclosure timelines
We do not:
- Directly fix code vulnerabilities
- Manage individual project security
- Serve as the first responder for project-level technical issues
This approach respects project autonomy while leveraging the Foundation’s position in the ecosystem to resolve incidents efficiently.
This plan applies to incidents such as:
- Platform or provider security issues (e.g., authentication compromise, unexpected data exposure, outages affecting security controls)
- Account or registry access issues (e.g., npm lockdown, GitHub MFA lockout, compromised maintainer account)
- Supply chain attacks (e.g., malicious package versions, phishing campaigns, dependency compromises)
- Legal or operational threats (e.g., license disputes, patent challenges, DMCA takedowns, trademark misuse)
Out of Scope:
- Code-level vulnerabilities in Foundation projects (handled by the project or OpenJS CNA Team)
- Non-Foundation projects — see supported projects list
🍿 @Discussion: Probably we can think on more scenarios together
| Category | Examples | Primary Response Role |
|---|---|---|
| Vulnerability Report | Code exploit, CVE disputes, escalations | Redirect to project / CNA Team |
| Platform Security Issue | Authentication compromise, data exposure, outages | Triage → Escalate to platform → Mitigation guidance |
| Account Access Issue | npm account lockout, GitHub MFA | Triage → Work with provider → Temporary mitigation |
| Supply Chain Attack | Malicious dependency release | Coordinate with affected projects → Security advisories |
| External Provider Incident | Cloud/service compromise | Facilitate communication between maintainers & provider |
| Process Step | Reporter | Foundation Response Team | Coordinator (SRC) | SME |
|---|---|---|---|---|
| File Report | R, A | C | I | |
| Assign Coordinator | I | R | A | |
| Assess Impact & Severity | I | C | A | C |
| Identify SMEs | I | C | A | C |
| Recommend Mitigation | I | C | A | C |
| Document Findings | I | C | A | I, C |
| Publish/Share (if approved) | I | R, A | C | C |
🍿 @Discussion: who should be in the team?
🍿 @Discussion: Should we publish learnings publicly to help the community?
Submits an incident report to the Foundation Security Team.
Responsibilities & Expectations
- Provide detailed incident information
- Follow responsible disclosure guidelines
- Cooperate by supplying clarifications when needed
- Respect embargo and disclosure timelines
Focal point for each incident. Ensures process is followed and manages communications.
Responsibilities
- Acknowledge reports promptly
- Manage embargo and limit information sharing
- Assign SMEs as needed
- Keep reporter and affected projects updated
- Track all incidents for reporting and visibility
Provides technical, legal, or domain-specific expertise.
Responsibilities
- Help assess impact and options
- Recommend mitigation strategies
- Assist in unblocking projects when feasible
A direct reporting solution is not yet available. In the meantime, please request support in the #security channel on Slack.
🍿 @Discussion: early-stage idea, based on the Runbook
flowchart TD
A[Incident Report Received] --> B[Assign Coordinator]
B --> C{Valid and verifiable?}
C -- No --> D[Request Clarification from Reporter]
D --> C
C -- Yes --> E[Assess Impact and Severity]
E --> F{Single Project or Multi-Project?}
F -- Single --> G[Engage Project Maintainers]
F -- Multi --> H[Engage Multiple Maintainers + Foundation Network]
G --> I[Coordinate Response: Bring SMEs...]
H --> I
I --> J[Update Reporter and Stakeholders]
J --> K[Document and Close Incident]
- Incident Report Received
- Assign Coordinator and consolidate details
- Review Severity and affected projects
- Identify SMEs and brief them
- Coordinate with projects, platforms, or third parties
- Document findings and lessons learned
- Publish summary (if appropriate)
- Social Media Team posts updates if needed