Skip to content

Commit

Permalink
Create SECURITY.md (#253)
Browse files Browse the repository at this point in the history 
This commit introduces a SECURITY.md file to guide the responsible disclosure and handling of vulnerabilities in mLoRA. 

Key highlights:
- Users are encouraged to report issues such as data poisoning, pipeline parallelism security risks, and container vulnerabilities.
- Clear instructions are provided for reporting vulnerabilities via email or confidential GitHub issues.
- Areas of concern include Docker security, API misuse, and credential management.
- Guidelines are established for investigating and patching reported vulnerabilities.

The policy aims to improve the security posture of the project and provide contributors and users with a responsible process for addressing security risks.
  • Loading branch information
@Saf9933
Saf9933 authored Oct 7, 2024
1 parent 6962b3c commit a59cddd
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Security Policy for mLoRA

## Reporting a Vulnerability

If you discover a security vulnerability in mLoRA, we request that you report it responsibly.

Please **do not publicly disclose the vulnerability** until we have had a chance to assess and address it. You can report the vulnerability through email:

- **Email**: Send an email to `[email protected]` detailing the nature of the vulnerability, steps to reproduce it, and any potential impact.

We aim to **respond to reported vulnerabilities ASAP** and will work with you to investigate and resolve the issue as quickly as possible.

## Areas of Concern

We encourage you to report issues related to:

- **Data Poisoning Attacks**: If you notice that training data is compromised or if any unexpected model behaviors occur that may result from malicious data.
- **Pipeline Parallelism Security**: If you identify vulnerabilities in the communication between nodes when using pipeline parallelism, such as unencrypted connections or unauthorized access.
- **Container Security**: Vulnerabilities in our Docker images, such as insecure configurations or exposed SSH access.
- **Credential Management**: Issues related to insecure handling of environment variables, passwords, or API keys.
- **API Misuse**: Unauthorized usage of mLoRA as a service, overloading the API, or attempting to extract sensitive model information.

## Fixing Vulnerabilities

Once a vulnerability is confirmed, we will:

1. Work on a patch to fix the vulnerability.
2. Publish a **security advisory** on GitHub to notify users of the issue and the resolution.

Thank you for helping to improve the security of mLoRA!

0 comments on commit a59cddd

Please sign in to comment.