The Swiss AI-Hub team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and we will make every effort to acknowledge and address them.
We provide security updates for the following versions of the Swiss AI-Hub:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| 0.x.x | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
We follow a coordinated disclosure process to ensure the security of our users.
The best way to report a vulnerability is privately through GitHub's security advisory system.
- Go to the "Security" tab of the
swiss-ai-hubrepository. - Click on "Report a vulnerability" (or go directly to https://github.com/bbvch-ai/aihub-core/security/advisories/new).
- Fill out the form with as much detail as possible.
If you are unable to use GitHub Advisories, you can send a private message to a member of the Swiss AI-Hub team on Discord
To help us validate and fix the issue quickly, please provide:
- Summary: A clear description of the vulnerability.
- Impact: What an attacker can do with this vulnerability.
- Proof of Concept: Detailed steps to reproduce the vulnerability. This can be code, cURL commands, or a clear text-based walkthrough.
- Affected Versions: Which versions of the project are affected.
- Acknowledgement: We will acknowledge receipt of your report within 3-5 business days.
- Validation: We will investigate the report and may ask for additional information.
- Collaboration: Once validated, we will open a private GitHub Security Advisory to communicate with you about the fix and disclosure timeline.
- Patch & Release: We will develop a patch and release it in a new version as quickly as possible.
- Public Disclosure: After the patch is released, we will publicly disclose the vulnerability. We typically delay detailed disclosure for 2-4 weeks to give the community time to upgrade.
This security policy is not for:
- General bug reports (please use GitHub Issues)
- Support questions or "how-to" guides (please join our Discord Server)
- Help with configuring or deploying the platform (please join our Discord Server)
We do not currently offer a paid bug bounty program.