Vulnerability Management#
Reporting Vulnerabilities#
As mentioned in the security policy, security vulnerabilities may be reported privately to the project via GitHub.
Vulnerability Management Team#
Once a vulnerability has been reported to the project, the Vulnerability Management Team (VMT) is responsible for managing the vulnerability. The VMT is responsible for:
Triaging the vulnerability.
Coordinating with reporters and project maintainers on vulnerability analysis and resolution.
Drafting of security advisories for confirmed vulnerabilities, as appropriate.
Coordination with project maintainers on a coordinated release of the fix and security advisory.
Security Advisories#
Advisories are published via GitHub through the same system used to report vulnerabilities. More information on the process can be found in the GitHub documentation.
Team Members#
We prefer to keep all vulnerability-related communication on the security report on GitHub. However, if you need to contact the VMT directly for an urgent issue, you may contact the following individuals:
Simon Mo - simon.mo@hey.com
Russell Bryant - rbryant@redhat.com
Slack Discussion#
You may use the #security
channel in the VLLM Slack
to discuss security-related topics. However, please do not disclose any
vulnerabilities in this channel. If you need to report a vulnerability, please
use the GitHub security advisory system or contact a VMT member privately.