This policy borrows heavily from the recommendations of the OpenSSF Vulnerability Disclosure working group. For up-to-date information on the latest recommendations related to vulnerability disclosures, please visit the GitHub of that working group.
This project offer the following ways to submit security vulnerabilities. While the security team members will do their best to respond to bugs disclosed in all possible ways, it is encouraged for bug finders to report through the following approved channels:
- Email the LF Decentralized Trust security email list: To report a security issue, please send an email with the name of the project/repository, a description of the issue, the steps you took to create the issue, affected versions, and if known, mitigations. If in triaging the email, the security team determines the issue may be a security vulnerability, a GitHub security vulnerability report will be opened.
- Open a GitHub security vulnerability report: Open a draft security advisory on the "Security" tab of this GitHub repository. See GitHub Security Advisories to learn more about the security infrastructure in GitHub.
This project does not maintain an embargo list because currently we do not have large-scale downstream deployments that require advance notice.