doc: add SECURITY.md

[caozhuozi]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @caozhuozi, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new SECURITY.md file to the repository, providing a comprehensive security policy. The purpose is to establish clear guidelines for reporting vulnerabilities, detail the project's response process, and inform users about supported versions for security fixes. This addition aims to enhance the project's security posture and facilitate responsible disclosure of any potential issues.

Highlights

• New Security Policy Document: A new SECURITY.md file has been added to the repository, establishing a formal security policy.
• Vulnerability Reporting Guidelines: The document outlines clear instructions on how to report security vulnerabilities, emphasizing the use of GitHub Security Advisories for private disclosure.
• Response and Disclosure Timelines: It specifies the expected response time for vulnerability reports (5 working days) and general public disclosure timelines (7-90 days, depending on complexity).
• Supported Versions for Security Fixes: The policy clarifies that security fixes are primarily provided for the latest major version of the project.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds a SECURITY.md file, which is a great addition for outlining the project's security policy. The document is well-structured and clear. I've made a few suggestions to improve consistency with the rest of the project's documentation and to clean up some minor formatting issues.

[gemini-code-assist]

For consistency with other project documentation (e.g., GOVERNANCE.md), 'ModelPack' should be consistently capitalized. There are a few instances in this section where it's either lowercase or misspelled.

• Line 5: modelpack -> ModelPack
• Line 12: modepack -> ModelPack
• Line 13: modelpack -> ModelPack

Suggested change

	We're extremely grateful for security researchers and users who report vulnerabilities they discovered in modelpack.
	All reports are thoroughly reviewed and investigated.
	### When Should I Report a Vulnerability?
	You should report if:
	- You think you have discovered a potential security vulnerability in modepack
	- You are uncertain about the security impact of an issue you found in modelpack
	We're extremely grateful for security researchers and users who report vulnerabilities they discovered in ModelPack.
	All reports are thoroughly reviewed and investigated.
	### When Should I Report a Vulnerability?
	You should report if:
	- You think you have discovered a potential security vulnerability in ModelPack
	- You are uncertain about the security impact of an issue you found in ModelPack

[gemini-code-assist]

For consistency, modelpack should be capitalized as ModelPack. Additionally, the two trailing spaces at the end of this line are unnecessary for formatting here and can be removed for cleaner source code.

Suggested change

	The disclosure date will be agreed upon between the modelpack maintainers and the reporter.
	The disclosure date will be agreed upon between the ModelPack maintainers and the reporter.

[gemini-code-assist]

These lines have unnecessary trailing spaces. In Markdown, two trailing spaces can create a hard line break, but here they have no visual effect within the list. Removing them leads to cleaner source text.

Suggested change

	- Immediate disclosure may occur if the issue is already public.
	- For vulnerabilities with straightforward fixes, disclosure is typically within **7 days** of the report.
	- For complex issues requiring more time to investigate and validate fixes, disclosure may be delayed—up to a maximum of **90 days**.
	- Immediate disclosure may occur if the issue is already public.
	- For vulnerabilities with straightforward fixes, disclosure is typically within **7 days** of the report.
	- For complex issues requiring more time to investigate and validate fixes, disclosure may be delayed—up to a maximum of **90 days**.

[bergwolf]

DCO is failing. Please sign off your commit.

[caozhuozi]

@bergwolf PTAL. ❤️ (sry for the delay. I've been very busy these days. 😂

[bergwolf]

lgtm, thanks!

[gaius-qi]

LGTM