Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
SECURITY.md 2.45 KB
Newer Older
Doug Winzell's avatar
Create SECURITY.md  
Doug Winzell committed
1
2 
# Security Policy
Timothy J. Baek's avatar
rename to open-webui  
Timothy J. Baek committed
3
4
5 
Our primary goal is to ensure the protection and confidentiality of sensitive data stored by users on open-webui.

## Supported Versions
Doug Winzell's avatar
Create SECURITY.md  
Doug Winzell committed
6
7
8 

| Version | Supported          |
| ------- | ------------------ |
Timothy J. Baek's avatar
rename to open-webui  
Timothy J. Baek committed
9
10 
| main    | :white_check_mark: |
| others  | :x:                |
Doug Winzell's avatar
Create SECURITY.md  
Doug Winzell committed
11
12
13 

## Reporting a Vulnerability
Justin Hayes's avatar
Update SECURITY.md  
Justin Hayes committed
14
15
16
17
18
19 
We appreciate the community's interest in identifying potential vulnerabilities. However, effective immediately, we will **not** accept low-effort vulnerability reports. To ensure that submissions are constructive and actionable, please adhere to the following guidelines:

1. **No Vague Reports**: Submissions such as "I found a vulnerability" without any details will be treated as spam and will not be accepted.

2. **In-Depth Understanding Required**: Reports must reflect a clear understanding of the codebase and provide specific details about the vulnerability, including the affected components and potential impacts.
Justin Hayes's avatar
Update SECURITY.md  
Justin Hayes committed
20 
3. **Proof of Concept (PoC) is Mandatory**: Each submission must include a well-documented proof of concept (PoC) that demonstrates the vulnerability. If confidentiality is a concern, reporters are encouraged to create a private fork of the repository and share access with the maintainers. Reports lacking valid evidence will be disregarded.
Justin Hayes's avatar
Update SECURITY.md  
Justin Hayes committed
21
Justin Hayes's avatar
Update SECURITY.md  
Justin Hayes committed
22 
4. **Required Patch Submission**: Along with the PoC, reporters must provide a patch or actionable steps to remediate the identified vulnerability. This helps us evaluate and implement fixes rapidly.
Justin Hayes's avatar
Update SECURITY.md  
Justin Hayes committed
23
Justin Hayes's avatar
Update SECURITY.md  
Justin Hayes committed
24
25
26 
5. **Streamlined Merging Process**: When vulnerability reports meet the above criteria, we can consider them for immediate merging, similar to regular pull requests. Well-structured and thorough submissions will expedite the process of enhancing our security.

Submissions that do not meet these criteria will be closed, and repeat offenders may face a ban from future submissions. We aim to create a respectful and constructive reporting environment, where high-quality submissions foster better security for everyone.
Doug Winzell's avatar
Create SECURITY.md  
Doug Winzell committed
27
28 

## Product Security
Timothy J. Baek's avatar
rename to open-webui  
Timothy J. Baek committed
29
Justin Hayes's avatar
Update SECURITY.md  
Justin Hayes committed
30
31
32 
We regularly audit our internal processes and system architecture for vulnerabilities using a combination of automated and manual testing techniques. We are also planning to implement SAST and SCA scans in our project soon.

For immediate concerns or detailed reports that meet our guidelines, please create an issue in our [issue tracker](/open-webui/open-webui/issues) or contact us on [Discord](https://discord.gg/5rJgQTnV4s).
Doug Winzell's avatar
Create SECURITY.md  
Doug Winzell committed
33
Justin Hayes's avatar
Update SECURITY.md  
Justin Hayes committed
34 
---
Timothy J. Baek's avatar
chore: format  
Timothy J. Baek committed
35
36 

_Last updated on **2024-08-06**._