Add Incident Response Plan (IRP)

[mkagenius]

Adds a concise Incident Response Plan covering:

• Two disclosure strategies (Advisory With Patch / Advisory Early)
• GHSA and CVE workflow integrated into phases
• 90-day coordinated disclosure window
• 5 clearly labeled phases with timelines for reporter visibility
• Links back to SECURITY.md

[gemini-code-assist]

Code Review

This pull request introduces a new Incident Response Plan (IRP) document detailing the five phases of security vulnerability management. The review feedback suggests shortening the containment timeline for critical vulnerabilities, using a dedicated security email address for reports, and addressing a broken link to a missing SECURITY.md file.

[gemini-code-assist]

For vulnerabilities classified as Critical (e.g., active exploitation), the containment target of 1–7 days is likely too long. It is recommended to aim for immediate containment (e.g., within 24 hours) for such high-stakes incidents to minimize impact.

Suggested change

	**Target: 1–7 days after triage**
	**Target: 1–7 days after triage (Immediate for Critical)**

[gemini-code-assist]

Using a dedicated security email address (e.g., security@instavm.io) is a best practice for handling vulnerability reports. This ensures that sensitive security communications are routed to the correct team and handled with appropriate confidentiality.

Suggested change

	Email: [hello@instavm.io](mailto:hello@instavm.io)
	Email: [security@instavm.io](mailto:security@instavm.io)

[gemini-code-assist]

The file SECURITY.md does not exist in the repository, making this a broken link. Please ensure that SECURITY.md is created to provide the necessary reporting instructions and policy details.