From 5a42540422aefc26120b0feec501ed9ec194a839 Mon Sep 17 00:00:00 2001 From: James Lamb Date: Wed, 27 May 2026 16:52:33 -0500 Subject: [PATCH] add SECURITY.md --- .github/CODEOWNERS | 3 +++ SECURITY.md | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 SECURITY.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 2d9cca45..804a5ad6 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -9,3 +9,6 @@ /dependencies.yaml @rapidsai/packaging-codeowners /build.sh @rapidsai/packaging-codeowners pyproject.toml @rapidsai/packaging-codeowners + +# Ops code owners +/SECURITY.md @rapidsai/ops-codeowners diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..ada89083 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,40 @@ +# Security + +## Reporting Security Issues + +> [!WARNING] +> Do not report security vulnerabilities through public GitHub issues! + +Instead, please submit a private vulnerability report, see below. + +## Reporting a Vulnerability + +1. **NVIDIA Vulnerability Disclosure Program (preferred)** + Submit through the NVIDIA Product Security Incident Response Team (PSIRT) web form () + This is the fastest path to triage and tracking. + +2. **Email NVIDIA PSIRT** + `psirt@nvidia.com` — encrypt sensitive reports with the + [NVIDIA PSIRT PGP key](https://www.nvidia.com/en-us/security/pgp-key). + +3. **GitHub Private Vulnerability Reporting** + Use the **Security and quality** tab on this repository → *Report a vulnerability*. + +## Report Details + +We prefer all communications to be in English. + +Reports should include the following: + +* reproducible example showing how the vulnerability can be exploited +* statement about the impact (including affected versions) + +And we'd appreciate if they also include: + +* statement about whether you are interested in implementing the fix yourself + +## Disclosure Policy + +NVIDIA PSIRT will acknowledge receipt and coordinate triage, fix development, and coordinated disclosure. + +More on NVIDIA's response process: .