|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +We actively support the following versions of Tensor Fusion with security updates: |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------- | ------------------ | |
| 9 | +| 1.x.x | :white_check_mark: | |
| 10 | +| < 1.0 | :white_check_mark: | |
| 11 | + |
| 12 | +## Reporting a Vulnerability |
| 13 | + |
| 14 | +We take the security of Tensor Fusion seriously. If you believe you have found a security vulnerability in our GPU virtualization and pooling solution, please report it to us as described below. |
| 15 | + |
| 16 | +### How to Report |
| 17 | + |
| 18 | +**Please do NOT report security vulnerabilities through public GitHub issues.** |
| 19 | + |
| 20 | +Instead, please report them via email to: **[email protected]** |
| 21 | + |
| 22 | +If you prefer, you can also contact us through our support channel: **[email protected]** |
| 23 | + |
| 24 | +### What to Include |
| 25 | + |
| 26 | +Please include the following information in your report: |
| 27 | + |
| 28 | +- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) |
| 29 | +- Full paths of source file(s) related to the manifestation of the issue |
| 30 | +- The location of the affected source code (tag/branch/commit or direct URL) |
| 31 | +- Any special configuration required to reproduce the issue |
| 32 | +- Step-by-step instructions to reproduce the issue |
| 33 | +- Proof-of-concept or exploit code (if possible) |
| 34 | +- Impact of the issue, including how an attacker might exploit the issue |
| 35 | + |
| 36 | +### Response Timeline |
| 37 | + |
| 38 | +- **Initial Response**: We will acknowledge receipt of your vulnerability report within 48 hours. |
| 39 | +- **Assessment**: We will provide an initial assessment within 5 business days. |
| 40 | +- **Resolution**: We aim to resolve critical vulnerabilities within 30 days, and other vulnerabilities within 90 days. |
| 41 | + |
| 42 | +### Responsible Disclosure |
| 43 | + |
| 44 | +We kindly ask that you: |
| 45 | + |
| 46 | +- Give us reasonable time to investigate and mitigate an issue before making any information public |
| 47 | +- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services |
| 48 | +- Only interact with accounts you own or with explicit permission of the account holder |
| 49 | + |
| 50 | +## Security Considerations |
| 51 | + |
| 52 | +### GPU Virtualization Security |
| 53 | + |
| 54 | +Tensor Fusion handles sensitive GPU resources and workloads. Key security considerations include: |
| 55 | + |
| 56 | +- **Isolation**: GPU workloads are isolated between different tenants |
| 57 | +- **Authentication**: All API access requires proper authentication |
| 58 | +- **Authorization**: Role-based access control (RBAC) for different operations |
| 59 | +- **Encryption**: Data in transit is encrypted using TLS 1.3 |
| 60 | +- **Audit Logging**: All administrative actions are logged for security monitoring |
| 61 | + |
| 62 | +### Kubernetes Security |
| 63 | + |
| 64 | +When deploying Tensor Fusion in Kubernetes: |
| 65 | + |
| 66 | +- Use proper RBAC configurations |
| 67 | +- Ensure network policies are in place |
| 68 | +- Keep Kubernetes cluster updated |
| 69 | +- Use secure container images |
| 70 | +- Implement pod security standards |
| 71 | + |
| 72 | +### Enterprise Features Security |
| 73 | + |
| 74 | +Our Enterprise features include additional security measures: |
| 75 | + |
| 76 | +- **Encryption at Rest**: GPU context and model data encryption |
| 77 | +- **SSO/SAML Support**: Integration with enterprise identity providers |
| 78 | +- **Advanced Audit**: Comprehensive audit trails |
| 79 | +- **Compliance**: SOC2 and other compliance reports available |
| 80 | + |
| 81 | +## Security Updates |
| 82 | + |
| 83 | +Security updates will be released as patch versions and communicated through: |
| 84 | + |
| 85 | +- GitHub Security Advisories |
| 86 | +- Release notes |
| 87 | +- Email notifications to enterprise customers |
| 88 | +- Discord announcements: https://discord.gg/2bybv9yQNk |
| 89 | + |
| 90 | +## Best Practices |
| 91 | + |
| 92 | +### For Administrators |
| 93 | + |
| 94 | +- Regularly update Tensor Fusion to the latest version |
| 95 | +- Monitor security advisories and apply patches promptly |
| 96 | +- Use strong authentication mechanisms |
| 97 | +- Implement proper network segmentation |
| 98 | +- Regular security audits of your deployment |
| 99 | + |
| 100 | +### For Developers |
| 101 | + |
| 102 | +- Follow secure coding practices when contributing |
| 103 | +- Run security scans on your code changes |
| 104 | +- Report any suspicious behavior or potential vulnerabilities |
| 105 | +- Keep dependencies updated |
| 106 | + |
| 107 | +## Security Resources |
| 108 | + |
| 109 | +- [Apache 2.0 License](LICENSE) |
| 110 | +- [Contributing Guidelines](CONTRIBUTING.md) |
| 111 | +- [Documentation](https://tensor-fusion.ai) |
| 112 | +- [Discord Community](https://discord.gg/2bybv9yQNk) |
| 113 | + |
| 114 | +## Contact |
| 115 | + |
| 116 | +For security-related questions or concerns: |
| 117 | + |
| 118 | +- **Security Team **: [email protected] |
| 119 | +- **General Support **: [email protected] |
| 120 | +- **Enterprise Support**: Available for licensed users |
| 121 | + |
| 122 | +--- |
| 123 | + |
| 124 | +**Note**: This security policy applies to the open-source components of Tensor Fusion. Enterprise features may have additional security policies and procedures. Please contact us for enterprise-specific security information. |
0 commit comments