mirror of
https://github.com/alibaba/open-code-review.git
synced 2026-07-09 17:28:58 +00:00
Add security policy covering vulnerability reporting channels (GitHub Private Vulnerability Reporting + email), response timeline, and scope definition to meet OpenSSF Best Practices Reporting criteria.
1.9 KiB
1.9 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
Only the latest released version receives security updates. Users are encouraged to upgrade promptly.
Reporting a Vulnerability
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, use one of the following channels:
- GitHub Private Vulnerability Reporting — go to the Security Advisories page and submit a new advisory.
- Email — send a report to open-code-review-security@alibabacloud.com with the details below.
What to Include
- A description of the vulnerability and its potential impact.
- Step-by-step instructions to reproduce the issue.
- Affected version(s).
- Any suggested fix or mitigation, if available.
Response Timeline
- Acknowledgment: within 3 business days of receiving your report.
- Initial Assessment: within 7 business days.
- Fix & Disclosure: we aim to release a fix within 14 days for confirmed critical or high-severity issues, coordinating disclosure with the reporter.
Scope
The following are in scope for security reports:
- Remote code execution or command injection via crafted diffs, configs, or LLM responses.
- Credential or API key leakage through logs, telemetry, or output files.
- Path traversal allowing reads/writes outside the intended working directory.
- Vulnerabilities in dependencies that are exploitable through this project.
Out of scope:
- Issues in third-party LLM providers or APIs.
- Denial-of-service attacks that require local access.
- Social engineering attacks.
Recognition
We appreciate the security research community's efforts. Reporters who follow responsible disclosure will be credited in the release notes (unless they prefer to remain anonymous).