From 9e4f6b56966cd570841ab4d9639449b8cd86217a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Mirall=C3=A8s?= <4765639+frmir@users.noreply.github.com> Date: Thu, 21 May 2026 12:54:41 -0400 Subject: [PATCH] Create SECURITY.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Describes reporting process of a vulnerability. Signed-off-by: François Mirallès <4765639+frmir@users.noreply.github.com> --- SECURITY.md | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..edc0d73 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,119 @@ +# Security Policy + +## Reporting a Vulnerability + +Please report any **critical** or **important** security vulnerability, suspected or confirmed, through private disclosure channels: + +### Preferred: GitHub Security Advisories + +1. Go to the repository's **Security tab** +2. Click **"Report a vulnerability"** +3. Submit the advisory + +This creates a private report visible only to maintainers. + +### Alternative: Email + +If GitHub advisories are not suitable, please contact this subgroup of GridFM maintainers: + +- [Romeo Kienzler](mailto:Romeo.Kienzler1@ibm.com) +- [Alban Puech](mailto:Alban.Puech2@ibm.com) +- [Tamara Govindasamy](mailto:tamara.govindasamy@ibm.com) +- [François Mirallès](mailto:miralles.francois@hydroquebec.com) +- [Thomas Tolhurst](mailto:tolhurst.thomas@hydroquebec.com) + +--- + +In your report, include: +- Who you are (name and company) +- Description of the issue +- Affected versions +- Detailed steps to reproduce +- Potential impact +- Suggested remediation (optional) + +For **moderate** or **low-severity** security vulnerabilities, you can use public GitHub issues. + +To help you assess the severity of the potential vulnerability, you can use the [Apache severity rating](https://security.apache.org/blog/severityrating/). + +If you are not sure whether the issue should be reported privately or publicly, please make a private report. + +--- + +## Supported Versions + +We currently provide security updates for the following versions: + +| Version | Supported | +|----------------|-----------| +| Latest release | ✅ | +| Previous major | ❌ | +| Older versions | ❌ | + +Users are strongly encouraged to upgrade to the latest release to receive security fixes. + +--- + +## Response Timeline + +We aim to follow these response targets: + +- **Initial acknowledgment**: within 72 hours +- **Status update**: within 7 days +- **Resolution target**: within 90 days (depending on severity) + +These are targets, not guarantees. + +### Severity Guidelines + +| Severity | Response Target | Patch Target | +|----------|----------------|--------------| +| Critical | 24–48 hours | ≤ 7 days | +| High | ≤ 72 hours | ≤ 14 days | +| Medium | ≤ 7 days | ≤ 30 days | +| Low | ≤ 14 days | ≤ 90 days | + +--- + +## Disclosure Policy + +We follow a **coordinated vulnerability disclosure (CVD)** process: + +- We work with reporters to agree on a disclosure timeline +- Public disclosure occurs after a fix is available or mitigation exists +- Contributors are credited unless anonymity is requested +- CVE identifiers will be requested when appropriate + +--- + +## Security Practices + +We strive to follow secure software development practices aligned with OpenSSF recommendations: + +- Dependency scanning and updates (e.g., Dependabot/Renovate) +- Static analysis (e.g., CodeQL or equivalent) +- Reproducible builds where possible +- Code review before merging +- Use of CI pipelines for validation + +--- + +## Supply Chain Security + +Where applicable, we aim to: + +- Provide versioned releases with changelogs +- Track dependencies and vulnerabilities +- Improve build provenance over time (e.g., SLSA alignment) + +--- + +## Reporting Abuse or Misuse + +If you believe the software is being used in a way that creates security risks or violates acceptable practices, please report it via the same channels above. + +--- + +## Acknowledgements + +We thank security researchers and contributors who help improve the safety and reliability of the GridFM ecosystem.