{"meta":{"title":"GitHub SIRT description RFC 2350","intro":"","product":"Site policy","breadcrumbs":[{"href":"/en/site-policy","title":"Site policy"},{"href":"/en/site-policy/security-policies","title":"Security Policies"},{"href":"/en/site-policy/security-policies/github-sirt-description-rfc-2350","title":"GitHub SIRT description RFC 2350"}],"documentType":"article"},"body":"# GitHub SIRT description RFC 2350\n\n<!-- markdownlint-disable search-replace -->\n\n## 1. Document Information\n\nTLP:CLEAR\n\n### 1.1 Date of Last Update\n\nVersion 1.02, updated 2025-12-18.\n\n### 1.2 Distribution List for Notifications\n\nThere is no distribution list for changes to this document.\n\n### 1.3 Locations where this Document May Be Found\n\nThe current version of this document may be found at:\n\nhttps://docs.github.com/site-policy/security-policies/github-sirt-description-rfc-2350\n\n## 2. Contact Information\n\n### 2.1 Name of the Team\n\nGitHub Security Incident Response Team (SIRT)\n\nSubteams:\n\n* Corporate Security Incident Response Team (CSIRT)\n* Product Security Incident Response Team (PSIRT)\n* Bug Bounty\n\n### 2.2 Address\n\nGitHub SIRT\n88 Colin P. Kelly Jr. St.\nSan Francisco, CA 94107\nUnited States\n\n### 2.3 Time Zone\n\nOur team mainly works in the contiguous United States and keeps to these hours:\n\n* EST/EDT\n* CST/CDT\n* MST/MDT\n* PST/PDT\n\n### 2.4 Telephone Number\n\nNone available.\n\n### 2.5 Facsimile Number\n\nNone available.\n\n### 2.6 Other Telecommunication\n\nNone available.\n\n### 2.7 Electronic Mail Address\n\nsecurity(at)github(dot)com\n\nThis relays email to the human(s) on duty for GitHub SIRT.\n\n### 2.8 Public Keys and Encryption Information\n\nGitHub SIRT has a PGP public key:\n\n* Key ID: `B0614CADF0EAF85433C715A508F419AA6FB92A90`\n* Key expiry: `2027-12-18`\n\n```text\n-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmDMEaURZwxYJKwYBBAHaRw8BAQdAg7ZWj5TyaA/C590af0ldWITh7zd8Z17NYH0f\n7FGKcLe0JUdpdEh1YiBTZWN1cml0eSA8c2VjdXJpdHlAZ2l0aHViLmNvbT6ImQQT\nFgoAQRYhBLBhTK3w6vhUM8cVpQj0GapvuSqQBQJpRFnDAhsDBQkDwmcABQsJCAcC\nAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEAj0GapvuSqQlLkBANp/JNGXDOIkQL8J\nFwmhr+ITQ1gudJtf29GS8h05jm9iAQCoEiDUQLgngX/qxjT0OEdTXjYk39JGItNE\nklI0rrZzCLg4BGlEWcMSCisGAQQBl1UBBQEBB0A+yeNKyL9TqzHVzo4yksCfOiDo\nY7bbI9gr1a/LAIRaKQMBCAeIfgQYFgoAJhYhBLBhTK3w6vhUM8cVpQj0GapvuSqQ\nBQJpRFnDAhsMBQkDwmcAAAoJEAj0GapvuSqQnOMA/ik/dvObq/da3zEbRt90Z10p\nA5CG9QOixXSNJ7Jj6DIlAQChy/9nM6olIwmoBl8x0FtZoqzYxFcocLxFElJfk0tk\nCw==\n=yWk0\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### 2.9 Team Members\n\nThe list of team members is not publicly available.\n\n### 2.10 Other Information\n\nNone available.\n\n### 2.11 Points of Customer Contact\n\nVulnerabilities should be reported to our bug bounty program:\n\nhttps://bounty.github.com\n\nGitHub customers should contact their account manager or GitHub Support for first level support and escalations:\n\nhttps://support.github.com\n\nOther security related communications can be directed to our email address detailed in Section 2.7.\n\n## 3. Charter\n\n### 3.1 Mission Statement\n\nGitHub is committed to maintaining the confidentiality, integrity, and availability of both its platform and the intellectual property and personal information of its users, customers, and employees. In order to ensure these principles are upheld, GitHub maintains robust vulnerability management, incident response, and threat hunting capabilities.\n\n### 3.2 Constituency\n\nOur constituency is any individual or organization that uses a GitHub product or service, as well as GitHub employees, contractors, and GitHub Inc.\n\nSome examples of GitHub products and services are:\n\n* github.com\n* GitHub Enterprise Server\n* GitHub Actions\n* GitHub Desktop\n* GitHub CLI\n* GitHub API\n* npm <!-- markdownlint-disable-line GHD034 -->\n\n### 3.3 Sponsorship and/or Affiliation\n\nGitHub SIRT is a team within GitHub. Funding is provided by GitHub.\n\n### 3.4 Authority\n\nGitHub SIRT operates under the authority of the Chief Information Security Officer of GitHub.\n\n## 4. Policies\n\n### 4.1 Types of Incidents and Level of Support\n\nGitHub SIRT is authorized to address all types of computer security incidents which occur, or threaten to occur, within its constituency.\n\nThe level of support depends on the type and severity of the given security incident, the number of affected entities within our constituency, and our resources at the time.\n\n### 4.2 Co-operation, Interaction and Disclosure of Information\n\nGitHub SIRT takes every effort to safely and securely share information with affected parties during incident response situations while respecting the privacy and trust of our constituents.\n\n### 4.3 Communication and Authentication\n\nGitHub SIRT makes use of the Traffic Light Protocol (TLP) for information sharing.\n\nEmail is the preferred method of communication. All sensitive information should be encrypted using the GitHub SIRT PGP key (as detailed in Section 2.8) prior to sending.\n\n## 5. Services\n\n### 5.1 Incident Response\n\nGitHub SIRT is responsible for incident response internally at GitHub where at least one member of the constituency is affected.\n\nGitHub SIRT does not provide incident response services for customers. Every effort is made to provide timely and accurate information during security incidents to affected customers so they can conduct their own investigations and respond appropriately. See section 2.11 for customer points of contact.\n\n#### 5.1.1 Incident Triage\n\nGitHub SIRT carries out the following activities for incident triage:\n\n* Security signals are collected and interpreted to determine risk, severity, and priority.\n* Investigation as to whether an incident occurred and what its effect and impact was.\n\nThis list is not exhaustive.\n\n#### 5.1.2 Incident Coordination\n\nGitHub SIRT carries out the following activities for incident coordination:\n\n* Situational awareness and analysis for stakeholders such as engineering, legal, and support teams.\n* Command role with authority to direct resources as required.\n* External coordination with affected or involved third-parties.\n\nThis list is not exhaustive.\n\n#### 5.1.3 Incident Resolution\n\nGitHub SIRT carries out the following activities for incident resolution:\n\n* Engages relevant internal teams to eradicate, restore, and secure.\n* Collection and storage of evidence for internal use as well as potential law enforcement involvement.\n* Notification to affected constituents.\n* Postmortem authoring with lessons learned and post-incident repair items.\n\nThis list is not exhaustive.\n\n### 5.2 Proactive Activities\n\nGitHub SIRT develops, maintains, and operates threat hunting and detection tools and techniques to proactively identify risks and threats.\n\nWork is also done on education, preparation, workflow development, and community outreach.\n\n## 6. Incident Reporting Forms\n\nNone available. Please review Section 2.11 for reporting guidance.\n\n## 7. Disclaimers\n\nWhile every precaution will be taken in the preparation of information, notifications and alerts, GitHub SIRT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within."}