From 76d0ee1cd87e685fb720b5ed808f099e61a5bf69 Mon Sep 17 00:00:00 2001 From: James Lamb Date: Wed, 27 May 2026 16:52:07 -0500 Subject: [PATCH 1/2] add SECURITY.md --- .github/CODEOWNERS | 3 +++ SECURITY.md | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 SECURITY.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 7f54e36f..34a3a0f3 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1,4 @@ * @rapidsai/deployment-write + +# Ops code owners +/SECURITY.md @rapidsai/ops-codeowners diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..ada89083 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,40 @@ +# Security + +## Reporting Security Issues + +> [!WARNING] +> Do not report security vulnerabilities through public GitHub issues! + +Instead, please submit a private vulnerability report, see below. + +## Reporting a Vulnerability + +1. **NVIDIA Vulnerability Disclosure Program (preferred)** + Submit through the NVIDIA Product Security Incident Response Team (PSIRT) web form () + This is the fastest path to triage and tracking. + +2. **Email NVIDIA PSIRT** + `psirt@nvidia.com` — encrypt sensitive reports with the + [NVIDIA PSIRT PGP key](https://www.nvidia.com/en-us/security/pgp-key). + +3. **GitHub Private Vulnerability Reporting** + Use the **Security and quality** tab on this repository → *Report a vulnerability*. + +## Report Details + +We prefer all communications to be in English. + +Reports should include the following: + +* reproducible example showing how the vulnerability can be exploited +* statement about the impact (including affected versions) + +And we'd appreciate if they also include: + +* statement about whether you are interested in implementing the fix yourself + +## Disclosure Policy + +NVIDIA PSIRT will acknowledge receipt and coordinate triage, fix development, and coordinated disclosure. + +More on NVIDIA's response process: . From 745221296be52c65266aaf11ad3a848ffef9f31b Mon Sep 17 00:00:00 2001 From: James Lamb Date: Thu, 28 May 2026 11:01:57 -0500 Subject: [PATCH 2/2] pre-commit --- SECURITY.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index ada89083..86fb2e58 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -18,7 +18,7 @@ Instead, please submit a private vulnerability report, see below. [NVIDIA PSIRT PGP key](https://www.nvidia.com/en-us/security/pgp-key). 3. **GitHub Private Vulnerability Reporting** - Use the **Security and quality** tab on this repository → *Report a vulnerability*. + Use the **Security and quality** tab on this repository → _Report a vulnerability_. ## Report Details @@ -26,12 +26,12 @@ We prefer all communications to be in English. Reports should include the following: -* reproducible example showing how the vulnerability can be exploited -* statement about the impact (including affected versions) +- reproducible example showing how the vulnerability can be exploited +- statement about the impact (including affected versions) And we'd appreciate if they also include: -* statement about whether you are interested in implementing the fix yourself +- statement about whether you are interested in implementing the fix yourself ## Disclosure Policy