add the security policy

deepset-ai · Aug 29, 2022 · 02a0170 · 02a0170
1 parent 4e518cd
commit 02a0170
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security Policy
+
+## Report a Vulnerability
+
+If you found a security vulnerability in Haystack, please send a message to
+[security@deepset.ai](mailto:security@deepset.ai).
+
+If possible, please include:
+
+1. Reproducible steps on how to trigger the vulnerability.
+2. A description on why you are convinced that it exists.
+3. Any information you may have on active exploitations of the vulnerability (zero-day).
+
+## Vulnerability Response
+
+Your report will be acknowledged within 5 business days, we will do a preliminary analysis
+to confirm that the vulnerability is a plausible claim or decline the report otherwise.
+
+Any information shared with the deepset security team will stay within deepset and will not
+be disclosed, except as required to get the issue fixed or to coordinate a vendor response.
+
+We will keep the reporter updated as the security issue moves through our process.
+
+Our goal is to disclose bugs as soon as possible once a user mitigation is available. We
+will set a disclosure date once the bug is well-understood (in consultation with the bug
+reporter and Haystack maintainers).