feat: add a security policy for Haystack (deepset-ai#3130)

* add the security policy * Apply suggestions from code review Co-authored-by: Agnieszka Marzec <[email protected]> * include review feedback Co-authored-by: Agnieszka Marzec <[email protected]>
joesalvati68 · Sep 2, 2022 · b07fcb7 · b07fcb7
1 parent d4722c2
commit b07fcb7
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security Policy
+
+## Report a Vulnerability
+
+If you found a security vulnerability in Haystack, send a message to
+[[email protected]](mailto:[email protected]).
+
+In your message, please include:
+
+1. Reproducible steps to trigger the vulnerability.
+2. An explanation of what makes you think there is a vulnerability.
+3. Any information you may have on active exploitations of the vulnerability (zero-day).
+
+## Vulnerability Response
+
+We'll review your report within 5 business days and we will do a preliminary analysis
+to confirm that the vulnerability is plausible. Otherwise, we'll decline the report.
+
+We won't disclose any information you share with us but we'll use it to get the issue
+fixed or to coordinate a vendor response, as needed.
+
+We'll keep you updated of the status of the issue.
+
+Our goal is to disclose bugs as soon as possible once a user mitigation is available.
+Once we get a good understanding of the vulnerability, we'll set a disclosure date after
+consulting the author of the report and Haystack maintainers.