You should have a clear incident response plan in place before listing your GitHub app in the marketplace. You should have the capability to notify GitHub within 24 hours of a confirmed incident.
For an example of an incident response workflow, see the "Data Breach Response Policy" on the SANS Institute website. A short document with clear steps to take in the event of an incident is more valuable than a lengthy policy template.
Security tool initiated by this item
Updated 3 months ago