Skip to content

Security: bbvch-ai/aihub-core

SECURITY.md

Security Policy

The Swiss AI-Hub team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and we will make every effort to acknowledge and address them.

Supported Versions

We provide security updates for the following versions of the Swiss AI-Hub:

Version Supported
1.x.x
0.x.x

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

We follow a coordinated disclosure process to ensure the security of our users.

1. Private GitHub Advisory (Preferred Method)

The best way to report a vulnerability is privately through GitHub's security advisory system.

  1. Go to the "Security" tab of the swiss-ai-hub repository.
  2. Click on "Report a vulnerability" (or go directly to https://github.com/bbvch-ai/aihub-core/security/advisories/new).
  3. Fill out the form with as much detail as possible.

2. Discord (Alternative Method)

If you are unable to use GitHub Advisories, you can send a private message to a member of the Swiss AI-Hub team on Discord

What to Include in Your Report

To help us validate and fix the issue quickly, please provide:

  • Summary: A clear description of the vulnerability.
  • Impact: What an attacker can do with this vulnerability.
  • Proof of Concept: Detailed steps to reproduce the vulnerability. This can be code, cURL commands, or a clear text-based walkthrough.
  • Affected Versions: Which versions of the project are affected.

Our Process

  1. Acknowledgement: We will acknowledge receipt of your report within 3-5 business days.
  2. Validation: We will investigate the report and may ask for additional information.
  3. Collaboration: Once validated, we will open a private GitHub Security Advisory to communicate with you about the fix and disclosure timeline.
  4. Patch & Release: We will develop a patch and release it in a new version as quickly as possible.
  5. Public Disclosure: After the patch is released, we will publicly disclose the vulnerability. We typically delay detailed disclosure for 2-4 weeks to give the community time to upgrade.

🚫 Out of Scope

This security policy is not for:

Bug Bounties

We do not currently offer a paid bug bounty program.

There aren't any published security advisories