Parent epic: #155
Deliver docs/security/triage-runbook.md — the executable six-stage vulnerability-response runbook per E19 (#155).
Six stages
- Receipt (0–72h): log the report, auto-ack from form, human ack within 72h.
- Triage (0–7d): scope (Core/Platform/Bdd/out-of-repo), reproduce, assign CVSS v3.1, draft GHSA, request CVE, decide public vs private fix, update reporter.
- Fix development: regression test first (TDD); fix; Conventional Commit updates CHANGELOG via release-please.
- Release coordination: merge fix; merge release-please PR;
release.published attaches SBOM + signatures; publish GHSA coordinated with release.
- Post-release: notify reporter, credit per consent, close tracking.
- Retrospective: how the bug got in, did tests catch it, process gaps, similar-class issues.
Also cover
- Reporter comms cadence (update at each stage transition).
- Out-of-scope / incorrect / intended-behaviour reports.
- Upstream-dependency root cause; self-reported issues (same flow, no external reporter).
- Maintainer unavailability: short-term (SLAs + force-majeure), medium-term (holding statement + cover), long-term (triggers continuity relicensing).
- Evidence retention: GitHub retains published GHSAs, release assets, SBOMs, signatures, and history indefinitely — that is the CRA 10-year evidence store; state this explicitly.
Acceptance
Runbook present; maintainer can execute an end-to-end response from it without external references.
Parent epic: #155
Deliver
docs/security/triage-runbook.md— the executable six-stage vulnerability-response runbook per E19 (#155).Six stages
release.publishedattaches SBOM + signatures; publish GHSA coordinated with release.Also cover
Acceptance
Runbook present; maintainer can execute an end-to-end response from it without external references.