Skip to content

Create SECURITY.md #172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Create SECURITY.md #172

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Security Policy

## Supported Versions

This section details which versions of the Gemma project are currently supported with security updates. We aim to provide timely security patches for actively maintained versions.


| Version | Supported |
| :-- | :-- |
| x.x.1 | :white_check_mark: |
| x.x.0 | :x: |

## Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a potential security issue in the Gemma repository, we encourage you to report it to us immediately.

**How to Report:**

* Please submit vulnerability reports to `EMAIL ADDRESS FOR SECURITY REPORTS`. This is a dedicated email address monitored by the Gemma security team.
* Include a detailed description of the vulnerability, including the steps to reproduce it, the affected version(s), and the potential impact. If possible, please provide a proof-of-concept.

**Response Timeline:**

* The Gemma security team will investigate the reported vulnerability and provide you with an update on the investigation within `X` business days.
* We will keep you informed of our progress and estimated timeline for remediation.

**Vulnerability Acceptance/Decline:**

* If the reported issue is accepted as a valid security vulnerability, we will work to address it as quickly as possible. We will credit you for the discovery in our release notes, unless you request anonymity.
* If the reported issue is determined not to be a security vulnerability, we will provide a detailed explanation of our reasoning.

**Public Disclosure:**

* We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We aim to release security patches promptly and will notify you when a fix is available.
* We believe that responsible disclosure helps protect our users and the broader community.

**Safe Harbor:**

* We consider vulnerability research conducted in good faith to be authorized. We will not take legal action against researchers who comply with this policy and make reasonable efforts to avoid causing harm or disruption.