|
|
@@ -11,10 +11,23 @@ Our primary goal is to ensure the protection and confidentiality of sensitive da
|
|
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
|
|
-If you discover a security issue within our system, please notify us immediately via a pull request or contact us on discord.
|
|
|
+We appreciate the community's interest in identifying potential vulnerabilities. However, effective immediately, we will **not** accept low-effort vulnerability reports. To ensure that submissions are constructive and actionable, please adhere to the following guidelines:
|
|
|
+
|
|
|
+1. **No Vague Reports**: Submissions such as "I found a vulnerability" without any details will be treated as spam and will not be accepted.
|
|
|
+
|
|
|
+2. **In-Depth Understanding Required**: Reports must reflect a clear understanding of the codebase and provide specific details about the vulnerability, including the affected components and potential impacts.
|
|
|
+
|
|
|
+3. **Proof of Concept (PoC) is Mandatory**: Each submission must include a well-documented proof of concept (PoC) that demonstrates the vulnerability. If confidentiality is a concern, reporters are encouraged to create a private fork of the repository and share access with the maintainers to maintain privacy. Reports lacking valid evidence will be disregarded.
|
|
|
+
|
|
|
+4. **Proposed Solutions**: We expect submissions to include actionable suggestions for remediation. Reports without a proposed fix will not be accepted.
|
|
|
+
|
|
|
+Submissions that do not meet these criteria will be closed, and repeat offenders may face a ban from future submissions. We aim to create a respectful and constructive reporting environment, and low-effort submissions hinder that goal.
|
|
|
|
|
|
## Product Security
|
|
|
|
|
|
-We regularly audit our internal processes and system's architecture for vulnerabilities using a combination of automated and manual testing techniques.
|
|
|
+We regularly audit our internal processes and system architecture for vulnerabilities using a combination of automated and manual testing techniques. We are also planning to implement SAST and SCA scans in our project soon.
|
|
|
+
|
|
|
+For immediate concerns or detailed reports that meet our guidelines, please create an issue in our [issue tracker](/open-webui/open-webui/issues) or contact us on [Discord](https://discord.gg/5rJgQTnV4s).
|
|
|
|
|
|
-We are planning on implementing SAST and SCA scans in our project soon.
|
|
|
+---
|
|
|
+_Last updated on **2024-08-06**._
|
Justin Hayes