You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The repository's security plan states that MPRC does not yet have a dedicated monitored security-reporting address. A member, volunteer, or researcher who finds exposed personal data, a compromised account, or another vulnerability needs a private path that does not place evidence in a public GitHub issue. Written procedures alone are not sufficient without named responders, working access, escalation ownership, and a rehearsal.
Atomic outcome
Establish a club-owned private security/privacy intake with primary and backup responders, then run one synthetic incident-response exercise that proves the handoff works. #104 owns the written architecture and officer playbooks; this issue configures ownership and provides operational evidence rather than rewriting them.
Owner actions
Choose and provision a club-owned monitored address or approved private reporting channel, such as security@runmprc.com.
Name a primary responder, backup responder, privacy escalation owner, platform owner, and payment/treasurer escalation where applicable.
Require MFA and recovery access for the underlying mailbox/account; avoid a shared password.
Define acknowledgement and escalation targets appropriate to the club, plus who can authorize containment, credential rotation, user notification, and outside advice.
Privately inventory provider escalation contacts for Firebase/GCP, GitHub, Google Workspace/Sites, hosting/DNS, Stripe, email, Sentry, Strava, WhatsApp, and Instagram as applicable.
Engineering/documentation scope
Point public vulnerability-reporting guidance to the private channel without publishing responder personal addresses or provider details.
State clearly that public GitHub issues must not contain vulnerabilities, exploits, credentials, member/payment records, discount codes, or private URLs.
Define a minimal private intake template: reporter contact, affected service, observation time, impact, synthetic reproduction, evidence location, and permission to follow up.
Run a tabletop using synthetic scenarios only: one accidental member-data exposure and one privileged-account compromise.
Record timestamps, roles reached, containment decision, gaps, corrective actions, and next drill date without copying sensitive evidence into GitHub.
Acceptance criteria
The private reporting channel is club-owned, monitored by both primary and backup responders, protected by MFA/recovery controls, and tested from an unrelated account.
Public site/repository guidance gives one clear private reporting path and warns against public disclosure of sensitive evidence.
The escalation map identifies privacy, platform, payment, and provider responsibility without exposing private contact details publicly.
Both synthetic scenarios are acknowledged, classified, escalated, and closed through the documented procedure.
The exercise proves responders can reach the relevant owner and identify an authorized containment action without changing production.
Gaps produce separate small tickets with owners and deadlines; no incident is marked resolved merely because a message was sent.
Public evidence contains no real PII, secrets, tokens, private URLs, exploitable details, or security-contact personal data.
Creation is not a claim. Engineering/documentation work must be assigned and begin only after a timestamped CLAIMED by <canonical agent> at <UTC>; branch <branch> comment is posted and re-read. Earliest valid claim wins. External account and incident-authority actions remain owner-only.
Problem
The repository's security plan states that MPRC does not yet have a dedicated monitored security-reporting address. A member, volunteer, or researcher who finds exposed personal data, a compromised account, or another vulnerability needs a private path that does not place evidence in a public GitHub issue. Written procedures alone are not sufficient without named responders, working access, escalation ownership, and a rehearsal.
Atomic outcome
Establish a club-owned private security/privacy intake with primary and backup responders, then run one synthetic incident-response exercise that proves the handoff works. #104 owns the written architecture and officer playbooks; this issue configures ownership and provides operational evidence rather than rewriting them.
Owner actions
security@runmprc.com.Engineering/documentation scope
Acceptance criteria
Dependencies and coordination
Explicitly out of scope
Claim protocol
Creation is not a claim. Engineering/documentation work must be assigned and begin only after a timestamped
CLAIMED by <canonical agent> at <UTC>; branch <branch>comment is posted and re-read. Earliest valid claim wins. External account and incident-authority actions remain owner-only.