From f7e2473f17cfb4bcf6f0a90efa045f5dcc24dfe4 Mon Sep 17 00:00:00 2001
From: Russell Bryant <rbryant@redhat.com>
Date: Fri, 1 Nov 2024 16:46:48 +0000
Subject: [PATCH 1/2] [Doc] Propose a vulnerability management team

The project has a policy for how vulnerabilties are reported, but
there is no specific indivudual(s) who has the responsibility for
ensuring that these reports are acted on in a timely manner. To
address this, I propose naming a "vulnerability management team" who
would have this responsibility.

The list of individuals that would seed this team is TBD.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
---
 .../contributing/vulnerability_management.md  | 35 +++++++++++++++++++
 docs/source/index.rst                         |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 docs/source/contributing/vulnerability_management.md

diff --git a/docs/source/contributing/vulnerability_management.md b/docs/source/contributing/vulnerability_management.md
new file mode 100644
index 0000000000000..96db5b49a010a
--- /dev/null
+++ b/docs/source/contributing/vulnerability_management.md
@@ -0,0 +1,35 @@
+# Vulnerability Management
+
+## Reporting Vulnerabilities
+
+As mentioned in the [security
+policy](https://github.com/vllm-project/vllm/tree/main/SECURITY.md), security
+vulnerabilities may be reported privately to the project via
+[GitHub](https://github.com/vllm-project/vllm/security/advisories/new).
+
+## Vulnerability Management Team
+
+Once a vulnerability has been reported to the project, the Vulnerability
+Management Team (VMT) is responsible for managing the vulnerability. The VMT is
+responsible for:
+
+- Triaging the vulnerability.
+- Coordinating with reporters and project maintainers on vulnerability analysis
+  and resolution.
+- Drafting of security advisories for confirmed vulnerabilities, as appropriate.
+- Coordination with project maintainers on a coordinated release of the fix and
+  security advisory.
+
+### Security Advisories
+
+Advisories are published via GitHub through the same system used to report
+vulnerabilities. More information on the process can be found in the [GitHub
+documentation](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories).
+
+### Team Members
+
+We prefer to keep all vulnerability-related communication on the security report
+on GitHub. However, if you need to contact the VMT directly for an urgent issue,
+you may contact the following individuals:
+
+- ... TODO ...
diff --git a/docs/source/index.rst b/docs/source/index.rst
index 842013d6d49c4..13b9102070397 100644
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@@ -183,6 +183,7 @@ Documentation
    contributing/overview
    contributing/profiling/profiling_index
    contributing/dockerfile/dockerfile
+   contributing/vulnerability_management.md
 
 Indices and tables
 ==================

From c85530335ce21eb0ec911b0ce98d0a61e9db50a9 Mon Sep 17 00:00:00 2001
From: Russell Bryant <rbryant@redhat.com>
Date: Fri, 13 Dec 2024 15:20:52 +0000
Subject: [PATCH 2/2] docs: Note team members, add a link to SECURITY.md, add
 slack channel

Signed-off-by: Russell Bryant <rbryant@redhat.com>
---
 SECURITY.md                                          |  2 +-
 docs/source/contributing/vulnerability_management.md | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index ad3f1f16ab560..de0032d26c87b 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,7 +4,7 @@
 
 If you believe you have found a security vulnerability in vLLM, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.
 
-Please report security issues privately using [the vulnerability submission form](https://github.com/vllm-project/vllm/security/advisories/new).
+Please report security issues privately using [the vulnerability submission form](https://github.com/vllm-project/vllm/security/advisories/new). Reports will then be triaged by the [vulnerability management team](https://docs.vllm.ai/contributing/vulnerability_management/).
 
 ---
 
diff --git a/docs/source/contributing/vulnerability_management.md b/docs/source/contributing/vulnerability_management.md
index 96db5b49a010a..422dc13e6a644 100644
--- a/docs/source/contributing/vulnerability_management.md
+++ b/docs/source/contributing/vulnerability_management.md
@@ -32,4 +32,12 @@ We prefer to keep all vulnerability-related communication on the security report
 on GitHub. However, if you need to contact the VMT directly for an urgent issue,
 you may contact the following individuals:
 
-- ... TODO ...
+- Simon Mo - simon.mo@hey.com
+- Russell Bryant - rbryant@redhat.com
+
+## Slack Discussion
+
+You may use the `#security` channel in the [VLLM Slack](https://slack.vllm.ai)
+to discuss security-related topics. However, please do not disclose any
+vulnerabilities in this channel. If you need to report a vulnerability, please
+use the GitHub security advisory system or contact a VMT member privately.