mirror of
https://github.com/open-webui/open-webui
synced 2024-11-22 08:07:55 +00:00
Update SECURITY.md
This commit is contained in:
parent
d3146d20ad
commit
b193eb1d82
@ -11,10 +11,23 @@ Our primary goal is to ensure the protection and confidentiality of sensitive da
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
If you discover a security issue within our system, please notify us immediately via a pull request or contact us on discord.
|
||||
We appreciate the community's interest in identifying potential vulnerabilities. However, effective immediately, we will **not** accept low-effort vulnerability reports. To ensure that submissions are constructive and actionable, please adhere to the following guidelines:
|
||||
|
||||
1. **No Vague Reports**: Submissions such as "I found a vulnerability" without any details will be treated as spam and will not be accepted.
|
||||
|
||||
2. **In-Depth Understanding Required**: Reports must reflect a clear understanding of the codebase and provide specific details about the vulnerability, including the affected components and potential impacts.
|
||||
|
||||
3. **Proof of Concept (PoC) is Mandatory**: Each submission must include a well-documented proof of concept (PoC) that demonstrates the vulnerability. If confidentiality is a concern, reporters are encouraged to create a private fork of the repository and share access with the maintainers to maintain privacy. Reports lacking valid evidence will be disregarded.
|
||||
|
||||
4. **Proposed Solutions**: We expect submissions to include actionable suggestions for remediation. Reports without a proposed fix will not be accepted.
|
||||
|
||||
Submissions that do not meet these criteria will be closed, and repeat offenders may face a ban from future submissions. We aim to create a respectful and constructive reporting environment, and low-effort submissions hinder that goal.
|
||||
|
||||
## Product Security
|
||||
|
||||
We regularly audit our internal processes and system's architecture for vulnerabilities using a combination of automated and manual testing techniques.
|
||||
We regularly audit our internal processes and system architecture for vulnerabilities using a combination of automated and manual testing techniques. We are also planning to implement SAST and SCA scans in our project soon.
|
||||
|
||||
We are planning on implementing SAST and SCA scans in our project soon.
|
||||
For immediate concerns or detailed reports that meet our guidelines, please create an issue in our [issue tracker](/open-webui/open-webui/issues) or contact us on [Discord](https://discord.gg/5rJgQTnV4s).
|
||||
|
||||
---
|
||||
_Last updated on **2024-08-06**._
|
Loading…
Reference in New Issue
Block a user