Applies To: Netty organization and all associated repositories.

Purpose

This Incident Response Plan outlines the structured process for identifying, assessing, responding to, and recovering from security incidents affecting the Netty organization and so all its repositories. The goal is to minimize damage, restore service integrity, and maintain community trust.

This IRP applies to the following categories:

• Security Vulnerabilities (e.g., RCE, DoS)
• Code Integrity Issues (e.g., malicious commits, supply chain attacks)
• Abuse or Misuse (e.g., spam PRs, malicious users)
• Dependency Compromise (e.g., third-party library CVEs)

The same person might wear multiple hats here.

Phase 1: Identification

• Anyone can report an issue via:
  • GitHub security advisory
• Triage team evaluates:
  • Severity (scoring, impact, exploitability)
  • Affected versions
  • Affected modules
  • Reproducibility

Phase 2: Containment

• Restrict access if a maintainer account is compromised.
• Remove and convert GitHub Issues/PRs to private security reports when sensitive info is exposed.

Phase 3: Eradication & Remediation

• Develop and test a patch privately.
• Backport to supported branches.
• Prepare:
  • Fixed releases
  • Security advisories (GHSA, CVE request)
  • Upgrade instructions (if applicable)

Phase 4: Recovery

• Publish fixed versions on Maven Central
• Publicly disclose:
  • GHSA
  • Release announcement
  • GitHub discussions or issues

Phase 5: Post-Incident Review

• Document:
  • Timeline of events
  • Root cause
  • Fixes implemented
  • Lessons learned
• Update:
  • Security policies
  • Dependencies and tooling
• Share summary with community (non-sensitive info only)

• Disclosure Policy: SECURITY.md.
• Monitoring Tools:
  • GitHub Dependabot alerts
  • OSS Index dependency scanning
• Safeguards:
  • Enabled 2FA for all core maintainers.
  • Using GPG signing for release artifacts.
  • Enabled private security issue reporting.