From ca4aa271bdaf2bab469fd547bf0d98df6dc7a4fc Mon Sep 17 00:00:00 2001 From: Nikhil Kalbande Date: Wed, 29 Apr 2026 19:18:10 +0530 Subject: [PATCH 1/3] removed reference of ich email id as contact for raising security issues --- SECURITY.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 3c89c8718d..16d6e22e20 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,12 +10,10 @@ we do not have the bandwidth to carry additional issues back to those communitie We also are working on a portal which will help identify per-version SBOM, Licenses and CVEs which may be available some time this year. If you see a security issue introduced by the way we build a product, please directly file an issue with that vulunerability (if it is publicly -disclosed) against the specific build script directory that contains the issue. If the issue is sensitive, you can email to: - -ich at us dot ibm dot com +disclosed) against the specific build script directory that contains the issue. ## Reporting a Vulnerability If the vulnerability is reported via a github issue, we will try to get it assigned and looked at as quickly as possible. Given our agile process model, we look at issues like this typically at the beginning of any two week sprint so you should have some sort of -response within 4 weeks. Anything needed more urgently should be reported via the email link address identified above. +response within 4 weeks. From eddce5a737da9afb81f6c0dc47012fca2ce7ae08 Mon Sep 17 00:00:00 2001 From: Nikhil Kalbande Date: Wed, 29 Apr 2026 19:38:43 +0530 Subject: [PATCH 2/3] Added details about OSE portal --- SECURITY.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 16d6e22e20..7375ce7300 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,10 +7,9 @@ We currently provide build scripts for many (thousands) of open source projects Any failures within the packages that we create build scripts for should be assessed and filed with the corresponding open source project - we do not have the bandwidth to carry additional issues back to those communities or maintain the context behind those failures. -We also are working on a portal which will help identify per-version SBOM, Licenses and CVEs which may be available some time this year. +We have a Open Source Edge portal up at https://open-source-edge.developerfirst.ibm.com/ , so request to check on it which will help to identify per-version SBOM, Licenses and CVEs for limited set of packages onboarded to Manage Currency set on OSE portal. -If you see a security issue introduced by the way we build a product, please directly file an issue with that vulunerability (if it is publicly -disclosed) against the specific build script directory that contains the issue. +If you see a security issue introduced by the way we build a product, please directly file an issue in this GtiHb repo with that vulunerability (if it is publicly disclosed) against the specific build script directory that contains the issue. ## Reporting a Vulnerability From 2b24601546649940a131661686813d3e1be60983 Mon Sep 17 00:00:00 2001 From: Nikhil Kalbande Date: Fri, 1 May 2026 10:34:47 +0530 Subject: [PATCH 3/3] addressed review comments --- SECURITY.md | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 7375ce7300..f8c801581b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,18 +1,13 @@ -# Security Policy +## Security Policy -## Supported Versions +### Supported Versions +We provide build scripts for many (thousands) of open source projects, often covering multiple versions per project. -We currently provide build scripts for many (thousands) of open source projects and within those projects many different versions. +Failures related to the upstream projects or their source code should be assessed and reported directly to the corresponding open source community. We do not have the bandwidth to triage, track, or maintain context for issues that originate outside of our build scripts. -Any failures within the packages that we create build scripts for should be assessed and filed with the corresponding open source project - -we do not have the bandwidth to carry additional issues back to those communities or maintain the context behind those failures. +An Open Source Edge (OSE) portal is available at https://open-source-edge.developerfirst.ibm.com/. Please review the portal to identify version-specific SBOMs, licenses, and CVEs for a limited set of packages that are onboarded to the Manage Currency set. -We have a Open Source Edge portal up at https://open-source-edge.developerfirst.ibm.com/ , so request to check on it which will help to identify per-version SBOM, Licenses and CVEs for limited set of packages onboarded to Manage Currency set on OSE portal. +If you identify a security issue introduced by our build process, please file an issue directly in this GitHub repository. If the vulnerability is publicly disclosed, ensure that the issue is reported against the specific build script directory where the issue exists. -If you see a security issue introduced by the way we build a product, please directly file an issue in this GtiHb repo with that vulunerability (if it is publicly disclosed) against the specific build script directory that contains the issue. - -## Reporting a Vulnerability - -If the vulnerability is reported via a github issue, we will try to get it assigned and looked at as quickly as possible. Given -our agile process model, we look at issues like this typically at the beginning of any two week sprint so you should have some sort of -response within 4 weeks. +### Reporting a Vulnerability +If a vulnerability is reported via a GitHub issue, we will make a best-effort attempt to triage and assign it as quickly as possible. Given our agile development model, such issues are typically reviewed at the start of a two-week sprint. You should expect an initial response within approximately four weeks.