webpack · evenstensberg · Aug 29, 2025 · Aug 29, 2025 · Aug 29, 2025 · UlisesGascon
diff --git a/README.md b/README.md
@@ -1,2 +1,57 @@
-# security-wg
-Webpack Security Working Group
+# Security Working Group
+
+## Charter
+
+The Security Working Group manages all aspects and processes linked to the Webpack Project's security.
+
+The Security Triage Team is responsible for managing incoming security reports, to prepare security patches/releases, and to coordinate vulnerability disclosures. The nature of this task is sensitive, so only the Security Triage Team, TSC members, and (impacted) Core Maintainers are involved in the process.
+
+### Responsibilities
+
+- Define the Security triage role
+- Define and maintain security policies and procedures for the project and the packages in scope (see [this table for scope details](https://github.com/webpack/security-wg/blob/main/docs/packages-in-scope.md))
+- Provide guidance to the ecosystem on how to build more secure plugins
+- Review and recommend processes for handling of security reports.
+- Promote improvement of security practices within the Webpack project's ecosystem (For example: OSSF Scorecard, threat model, etc..)
+- Recommend security improvements for the project and the packages in scope
+- Support the TSC team on security triage as needed
+- Support initiatives from the [OpenJS Foundation Security Collab Space](https://github.com/openjs-foundation/security-collab-space).
+- Support initiatives from the OpenSSF [Best Practices for Open Source Developers Working Group](https://github.com/ossf/wg-best-practices-os-developers).
+
+## Current Initiatives
+
+| Initiative | Champion | Status | Links |
+|------------|----------|--------|-------|
+| Kick off the WG | [@UlisesGascon](https://github.com/UlisesGascon) | In progress | _none_ |
+| Incident Response Plan | [@RafaelGSS](https://github.com/rafaelgss) | In progress | [PR #19841](https://github.com/webpack/webpack/pull/19841)|
+
+## Members
+
+The Security Working Group is composed of two groups of members: the Security Triage Team and the Regular members. The regular members are responsible for the public facing activity of the group, while the Security Triage Team is responsible for the security triage process.
+
+### Security Triage Team @webpack/security-triage
+
+_TBA_
+
+### Lead Members @webpack/security-wg-leads
+
+_TBA_
+
+### Team Members @webpack/security-wg
+
+- [Claudio Wunder](https://github.com/ovflowd)
+- [Even Stensberg](https://github.com/evenstensberg)
+- [Rafael Gonzaga](https://github.com/RafaelGSS)
+- [Ulises Gascón](https://github.com/UlisesGascon)
+
+## Meetings
+
+The Security Working Group meets on an ad hoc basis. The meeting is open to the public. The agenda and meeting notes are published in this repository. You can find the calendar entries in the [OpenJS Foundation calendar](https://openjsf.org/collaboration).
+
+## Offline Discussions
+
+The Security Working Group uses [GitHub issues](https://github.com/webpack/security-wg/issues) for offline discussion. The discussions are open to the public and anyone may participate. Also, the group uses the channel `#Webpack-security-wg` in the [OpenJS Foundation Slack](https://openjsf.org/collaboration) for realtime discussions.
+
+## Code of Conduct
+
+The [Webpack Project's CoC](https://github.com/webpack/webpack/blob/main/CODE_OF_CONDUCT.md) applies to this repo.
diff --git a/docs/packages-in-scope.md b/docs/packages-in-scope.md
@@ -0,0 +1,23 @@
+
+| Name                | Github Repository                                | npm                                               
+|---------------------|--------------------------------------------------|---------------------------------------------------|
+| loader-utils  | https://github.com/webpack/loader-utils | https://www.npmjs.com/package/loader-utils |
+| analyse | https://github.com/webpack/analyse | _none_ |
+| watchpack | https://github.com/webpack/watchpack | https://www.npmjs.com/package/watchpack |
+| webpack-sources | https://github.com/webpack/webpack-sources | https://www.npmjs.com/package/webpack-sources |
+| tooling | https://github.com/webpack/tooling | _none_ |
+| schema-utils | https://github.com/webpack/schema-utils | https://www.npmjs.com/package/schema-utils |
+| enhanced-resolve | https://github.com/webpack/enhanced-resolve | https://www.npmjs.com/package/enhanced-resolve |
+| loader-runner | https://github.com/webpack/loader-runner | https://www.npmjs.com/package/loader-runner |
+| eslint-config-webpack | https://github.com/webpack/eslint-config-webpack | https://www.npmjs.com/package/eslint-config-webpack |
+| tapable | https://github.com/webpack/tapable | https://www.npmjs.com/package/tapable |
+| webpack-cli | https://github.com/webpack/webpack-cli | https://www.npmjs.com/package/webpack-cli |
+| @webpack-cli/serve | https://github.com/webpack/webpack-cli | https://www.npmjs.com/package/@webpack-cli/serve |
+| @webpack-cli/info | https://github.com/webpack/webpack-cli | https://www.npmjs.com/package/@webpack-cli/info |
+| create-new-webpack-app | https://github.com/webpack/webpack-cli | https://www.npmjs.com/package/create-new-webpack-app |
+| @webpack-cli/configtest | https://github.com/webpack/webpack-cli | https://www.npmjs.com/package/@webpack-cli/configtest |
+| webpack-dev-middleware  | https://github.com/webpack/webpack-dev-middleware | https://www.npmjs.com/package/webpack-dev-middleware |
+| webpack.js.org | https://github.com/webpack/webpack.js.org | _none_ |
+| webpack-dev-server | https://github.com/webpack/webpack-dev-server | http://npmjs.com/package/webpack-dev-server |
+| webpack | https://github.com/webpack/webpack | https://www.npmjs.com/package/webpack |
+| benchmark | https://github.com/webpack/benchmark | _none_ |