@fountain-coach/security-incident-response

# Security Incident Response

## Purpose
Handle vulnerability reports with coordinated disclosure, timely patches, and clear communication.

## When to Use
- A security report arrives via advisories or email
- Dependabot flags a critical/high vulnerability

## Steps
1. Acknowledge the report within 24 hours.
2. Validate and assess severity.
3. Develop and test a private fix.
4. Coordinate disclosure timing with the reporter.
5. Publish a patched release and advisory.
6. Announce the resolution and update `SECURITY.md` if needed.

## Output Contract
- Severity is assessed and documented.
- A patched release is published within SLA.
- Security advisory and communication are complete.

## References
- `SECURITY.md` for reporting channels and timelines.