Vulnerability Management#

Reporting Vulnerabilities#

As mentioned in the security policy, security vulnerabilities may be reported privately to the project via GitHub.

Vulnerability Management Team#

Once a vulnerability has been reported to the project, the Vulnerability Management Team (VMT) is responsible for managing the vulnerability. The VMT is responsible for:

  • Triaging the vulnerability.

  • Coordinating with reporters and project maintainers on vulnerability analysis and resolution.

  • Drafting of security advisories for confirmed vulnerabilities, as appropriate.

  • Coordination with project maintainers on a coordinated release of the fix and security advisory.

Security Advisories#

Advisories are published via GitHub through the same system used to report vulnerabilities. More information on the process can be found in the GitHub documentation.

Team Members#

We prefer to keep all vulnerability-related communication on the security report on GitHub. However, if you need to contact the VMT directly for an urgent issue, you may contact the following individuals:

  • Simon Mo - simon.mo@hey.com

  • Russell Bryant - rbryant@redhat.com

Slack Discussion#

You may use the #security channel in the VLLM Slack to discuss security-related topics. However, please do not disclose any vulnerabilities in this channel. If you need to report a vulnerability, please use the GitHub security advisory system or contact a VMT member privately.