.github/SECURITY.md

Please report security issuesprivately:

• Email:webpack-security@openjsf.org

Do not file public GitHub issues for security problems.

When reporting, please include:

• Affected project/repo and version(s)
• Impact and component(s) involved
• Reproduction steps or PoC (if available)
• Your contact details and preferred credit name

If you do not receive an acknowledgement of your report within6 business days, or if you cannot find a private security contact for the project, you mayescalate to the OpenJS Foundation CNA atsecurity@lists.openjsf.org.

If the project acknowledges your report but does not provide any further response or engagement within14 days, escalation is also appropriate.

We follow coordinated vulnerability disclosure:

• We will acknowledge your report, assess impact, and work on a fix.
• We aim to provide status updates until resolution.
• Once a fix or mitigation is available, we will publish a security advisory (and request a CVE via the OpenJS CNA when applicable).
• Reporters are credited by default unless you request otherwise.

When investigating and reporting vulnerabilities, pleasedo not:

• Break the law
• Access or modify data beyond what is needed to demonstrate the issue
• Use high-intensity or destructive testing tools
• Attempt denial of service (DoS) attacks
• Social engineer, phish, or physically attack project members
• Publicly disclose before we release a fix or advisory

For an overview of the security assumptions, potential attack vectors, and areasof concern relevant to webpack, please refer to theThreat Model.

In the event of a broader security incident, please refer to ourSecurity Incident Response Plan.