From a01351640e94f82b82e9e45c1116cb16c390f2c0 Mon Sep 17 00:00:00 2001 From: Michele Dolfi Date: Thu, 21 Nov 2024 10:48:44 +0100 Subject: [PATCH] add security policy Signed-off-by: Michele Dolfi --- .github/SECURITY.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000..419e13db --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,23 @@ +# Security and Disclosure Information Policy for the Docling Project + +The Docling team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. + +## Reporting a Vulnerability + +If you think you've identified a security issue in an Docling project repository, please DO NOT report the issue publicly via the GitHub issue tracker, etc. + +Instead, send an email with as many details as possible to [deepsearch-core@zurich.ibm.com](mailto:deepsearch-core@zurich.ibm.com). This is a private mailing list for the maintainers team. + +Please do not create a public issue. + +## Security Vulnerability Response + +Each report is acknowledged and analyzed by the core maintainers within 3 working days. + +Any vulnerability information shared with core maintainers stays within the Docling project and will not be disseminated to other projects unless it is necessary to get the issue fixed. + +After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +## Security Alerts + +We will send announcements of security vulnerabilities and steps to remediate on the [Docling announcements](https://github.com/DS4SD/docling/discussions/categories/announcements).