From 0181f6d5d7c6c5532a8b8a6d9cc09274fadcdd89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Cornell=C3=A0?= Date: Tue, 1 Jul 2025 17:56:43 +0200 Subject: [PATCH] Fix formatting --- .github/INCIDENT_RESPONSE_PLAN.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/INCIDENT_RESPONSE_PLAN.md b/.github/INCIDENT_RESPONSE_PLAN.md index 6f908c280..3f0b493c6 100644 --- a/.github/INCIDENT_RESPONSE_PLAN.md +++ b/.github/INCIDENT_RESPONSE_PLAN.md @@ -37,19 +37,19 @@ Please see [the latest guidelines](https://github.com/ohmyzsh/ohmyzsh/blob/maste 4. What's the impact of the vulnerability? -Assess using the *CIA* triad: + Assess using the *CIA* triad: -- **Confidentiality**: example: report or sharing of secrets. -- **Integrity**: affects the integrity of the system (deletion, corruption or encryption of data, OS file corruption, etc.). -- **Availability**: denial of login, deletion of required files to boot / login, etc. + - **Confidentiality**: example: report or sharing of secrets. + - **Integrity**: affects the integrity of the system (deletion, corruption or encryption of data, OS file corruption, etc.). + - **Availability**: denial of login, deletion of required files to boot / login, etc. -1. What's the exploitability of the vulnerability? +5. What's the exploitability of the vulnerability? -Consider how easy it is to exploit, and if it affects all users or requires specific configurations. + Consider how easy it is to exploit, and if it affects all users or requires specific configurations. 6. What's the severity of the vulnerability? -You can use the [CVSS v3.1](https://www.first.org/cvss/specification-document) to assess the severity of the vulnerability. + You can use the [CVSS v3.1](https://www.first.org/cvss/specification-document) to assess the severity of the vulnerability. 7. When was the vulnerability introduced? @@ -58,16 +58,17 @@ You can use the [CVSS v3.1](https://www.first.org/cvss/specification-document) t 8. Who are our security contacts? -Assess upstream or downstream contacts, and their desired channels of security. + Assess upstream or downstream contacts, and their desired channels of security. -> TODO: add a list of contacts. + > TODO: add a list of contacts. ### Mitigation - **Primary focus:** removing possibility of exploitation fast. - **Secondary focus:** addressing the root cause. -> [!IMPORTANT] Make sure to test that the mitigation works as expected, and does not introduce new vulnerabilities. +> [!IMPORTANT] +> Make sure to test that the mitigation works as expected, and does not introduce new vulnerabilities. > When deploying a patch, make sure not to disclose the vulnerability in the commit message or PR description. > TODO: introduce a fast-track update process for security patches.