add vulnerability process

Author: maxdeichmann

pages/handbook/product-engineering/playbooks/vulnerability-handling.mdx

@@ -0,0 +1,46 @@
+---
+title: Vulnerability Handling
+description: How we handle security vulnerabilities through manual reports and automated detection.
+---
+
+# Vulnerability Handling
+
+We have two different processes for handling security reports. These security reports are always triaged by engineers within 24 hours to act on them promptly if needed.
+
+## Process 1: Manual Security Reports
+
+Security reports sent to `[email protected]` are forwarded to Plain.com (our support tool), where an engineer is auto-assigned to triage and create a Linear ticket.
+
+```mermaid
+flowchart LR
+    Reporter["Security Researcher/Customer/Team"] --> Email["security[at]langfuse.com"]
+    Email --> Forward["Forward to Plain.com (Support Tool)"]
+    Forward --> AutoAssign["Engineer Auto-Assigned"]
+    AutoAssign --> Triage["Engineer Triages"]
+    Triage --> Linear["Engineer Creates Linear Ticket (Vulnerability Dashboard)"]
+```
+
+## Process 2: Automated Vulnerability Detection
+
+All Langfuse repositories have Dependabot and Snyk enabled. Vulnerabilities are automatically reported to GitHub, which sends webhooks to Make.com to create Linear tickets. Automated tickets are auto-assigned to Max.
+
+```mermaid
+flowchart TD
+    subgraph Repos["Code Repositories"]
+        direction TB
+        Dependabot["Dependabot"]
+        Snyk["Snyk"]
+    end
+
+    Dependabot --> GitHub["GitHub Security Alerts"]
+    Snyk --> GitHub
+
+    GitHub --> Make["Webhook to Make.com"]
+    Make --> Linear["Linear Ticket<br/>(Vulnerability Dashboard)"]
+    Linear --> AutoAssign["Auto-assign to Engineer"]
+    AutoAssign --> Engineer["Engineer Triages"]
+```
+
+## 24-Hour Policy
+
+All vulnerabilities must be checked and actioned within 24 hours of detection or report.