Skip to content

doc: add SECURITY.md #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 11, 2025
Merged

doc: add SECURITY.md #3

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Security Policy

## Reporting a Vulnerability

We're extremely grateful for security researchers and users who report vulnerabilities they discovered in modelpack.
All reports are thoroughly reviewed and investigated.

### When Should I Report a Vulnerability?

You should report if:

- You think you have discovered a potential security vulnerability in modelpack
- You are uncertain about the security impact of an issue you found in modelpack

### How to Report a Vulnerability?

Please report a vulnerability using GitHub’s [Security Advisories](https://github.com/modelpack/community/security).
**Do not create a public issue, pull request, or discussion**.

To submit a report, navigate to the community repository's main page, open the **Security** tab, select **Advisories** from the sidebar,
click **Report a vulnerability**, provide the required details, and submit.
This process will create a private advisory visible only to the maintainers for review.

### Security Vulnerability Response

Our maintainers will review and respond to your report within **5 working days**. Depending on the severity and complexity of the issue, resolution times may vary, but we will keep you informed throughout the process.

### Supported Versions

We only provide security fixes for the latest major version.

| Version | Security Fixes Provided |
|---------------|-------------------------|
| `@latest` | Yes |
| Older versions| Not Guaranteed |

### Public Disclosure Timing

The disclosure date will be agreed upon between the modelpack maintainers and the reporter.
In general:

- Immediate disclosure may occur if the issue is already public.
- For vulnerabilities with straightforward fixes, disclosure is typically within **7 days** of the report.
- For complex issues requiring more time to investigate and validate fixes, disclosure may be delayed—up to a maximum of **90 days**.

Delays may also be necessary if the bug or fix is not yet fully understood or adequately tested.