[Doc] Propose a vulnerability management team

The project has a policy for how vulnerabilties are reported, but there is no specific indivudual(s) who has the responsibility for ensuring that these reports are acted on in a timely manner. To address this, I propose naming a "vulnerability management team" who would have this responsibility. The list of individuals that would seed this team is TBD. Signed-off-by: Russell Bryant <[email protected]>
vllm-project · Nov 8, 2024 · 4d5bbcc · 4d5bbcc
1 parent 1ff4aed
commit 4d5bbcc
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/docs/source/contributing/vulnerability_management.md b/docs/source/contributing/vulnerability_management.md
@@ -0,0 +1,35 @@
+# Vulnerability Management
+
+## Reporting Vulnerabilities
+
+As mentioned in the [security
+policy](https://github.com/vllm-project/vllm/tree/main/SECURITY.md), security
+vulnerabilities may be reported privately to the project via
+[GitHub](https://github.com/vllm-project/vllm/security/advisories/new).
+
+## Vulnerability Management Team
+
+Once a vulnerability has been reported to the project, the Vulnerability
+Management Team (VMT) is responsible for managing the vulnerability. The VMT is
+responsible for:
+
+- Triaging the vulnerability.
+- Coordinating with reporters and project maintainers on vulnerability analysis
+  and resolution.
+- Drafting of security advisories for confirmed vulnerabilities, as appropriate.
+- Coordination with project maintainers on a coordinated release of the fix and
+  security advisory.
+
+### Security Advisories
+
+Advisories are published via GitHub through the same system used to report
+vulnerabilities. More information on the process can be found in the [GitHub
+documentation](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories).
+
+### Team Members
+
+We prefer to keep all vulnerability-related communication on the security report
+on GitHub. However, if you need to contact the VMT directly for an urgent issue,
+you may contact the following individuals:
+
+- ... TODO ...
diff --git a/docs/source/index.rst b/docs/source/index.rst
@@ -169,6 +169,7 @@ Documentation
    contributing/overview
    contributing/profiling/profiling_index
    contributing/dockerfile/dockerfile
+   contributing/vulnerability_management.md
 
 Indices and tables
 ==================