Set up process for premature disclosure

[avivkeller]

As with every software, eventually, someone may report a security issue as a public issue. In the event of a premature disclosure, we should have a contingency plan set up.

At @nodejs, this goes something along the lines of:

1. Transfer the issue to a private repository
2. Prepare and discuss a patch in the private repository
3. Issue a security release via a push directly to the public repository

[bjohansebas]

Yep, Express has something similar (https://github.com/expressjs/security-wg/blob/main/docs/incident_response_plan.md), although in my opinion this is related to webpack/webpack#19841

[avivkeller]

Yep, Express has something similar (https://github.com/expressjs/security-wg/blob/main/docs/incident_response_plan.md), although in my opinion this is related to webpack/webpack#19841

cc @RafaelGSS how does that policy handle premature disclosures?

[RafaelGSS]

For Webpack, I suggest we do pretty much the same as Node.js. Transfer it to a premature-disclosure repository.