github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-22 22:21:27 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

[PR #4404] [MERGED] Update SECURITY.md to Improve Vulnerability Reporting Process #8279

New Issue
Closed
opened 2025-11-11 17:49:50 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-11 17:49:50 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/4404
Author: @justinh-rahb
Created: 8/6/2024
Status: Merged
Merged: 8/6/2024
Merged by: @tjbck

Base: devHead: security-policy

📝 Commits (4)

📊 Changes

1 file changed (+18 additions, -3 deletions)

View changed files

📝 docs/SECURITY.md (+18 -3)

📄 Description

This PR proposes significant updates to our SECURITY.md file to outline a new policy for reporting vulnerabilities. These changes are driven by ongoing frustrations with the low-quality submissions we have received, which often lack depth, specificity, and proof of concept (PoC). The goal of this update is to establish clear expectations for potential reporters, ensuring that only substantive and actionable reports are submitted.

Motivation:

  1. Quality over Quantity: The vast majority of vulnerability reports submitted to our project have been low-effort and unconstructive. These submissions do not contribute positively to our security posture and instead waste valuable time and resources in validation and response.

  2. Clear Expectations: We must set firm boundaries for what constitutes an acceptable vulnerability report. Requiring detailed submissions that include a well-documented PoC and proposed fixes will help us prioritize legitimate vulnerabilities while minimizing spam.

  3. Streamlined Process for Viable Reports: We want to treat valid security advisories similarly to pull requests (PRs). If reporters meet our criteria, their reports can be evaluated and merged with the same urgency we apply to feature and bug fixes, ensuring that we address critical issues promptly and efficiently.

  4. Reduction of Frustration: By reinforcing these new guidelines, we hope to discourage unproductive behavior from vulnerability hunters who do not wish to engage constructively. This will create a healthier ecosystem for reporting vulnerabilities.

Changes Implemented:

This new policy includes the following key updates:

  • Mandatory Proof of Concept (PoC): All reports must include a PoC to demonstrate the vulnerability.
  • Requirement for Detailed Submissions: Reports must be comprehensive, reflecting an understanding of the codebase and detailing the vulnerability's impact.
  • Option for Confidential Reporting: Reporters can create private forks to share reports while maintaining confidentiality.
  • Structured for Immediate Merging: Reports meeting the criteria can be merged quickly, similar to PR requests, enhancing our responsiveness to legitimate security issues.

Conclusion:

With these changes, we aim to cultivate a more effective and constructive environment for vulnerability reporting. We hope to channel community efforts into meaningful contributions that enhance the security of our project.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/4404 **Author:** [@justinh-rahb](https://github.com/justinh-rahb) **Created:** 8/6/2024 **Status:** ✅ Merged **Merged:** 8/6/2024 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `security-policy` --- ### 📝 Commits (4) - [`a58dfcc`](https://github.com/open-webui/open-webui/commit/a58dfccb7dab4c7c42c8b4528f1d330bb1626e5f) Merge pull request #4273 from open-webui/dev - [`d3146d2`](https://github.com/open-webui/open-webui/commit/d3146d20ad74c020855142b2bf7e371f981ec098) Merge pull request #4304 from open-webui/dev - [`b193eb1`](https://github.com/open-webui/open-webui/commit/b193eb1d8288eecf35c67d6934661d186d077096) Update SECURITY.md - [`3511595`](https://github.com/open-webui/open-webui/commit/35115957d807c7fbdd0ef91b272c8fca405c96af) Update SECURITY.md ### 📊 Changes **1 file changed** (+18 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `docs/SECURITY.md` (+18 -3) </details> ### 📄 Description This PR proposes significant updates to our `SECURITY.md` file to outline a new policy for reporting vulnerabilities. These changes are driven by ongoing frustrations with the low-quality submissions we have received, which often lack depth, specificity, and proof of concept (PoC). The goal of this update is to establish clear expectations for potential reporters, ensuring that only substantive and actionable reports are submitted. **Motivation:** 1. **Quality over Quantity**: The vast majority of vulnerability reports submitted to our project have been low-effort and unconstructive. These submissions do not contribute positively to our security posture and instead waste valuable time and resources in validation and response. 2. **Clear Expectations**: We must set firm boundaries for what constitutes an acceptable vulnerability report. Requiring detailed submissions that include a well-documented PoC and proposed fixes will help us prioritize legitimate vulnerabilities while minimizing spam. 3. **Streamlined Process for Viable Reports**: We want to treat valid security advisories similarly to pull requests (PRs). If reporters meet our criteria, their reports can be evaluated and merged with the same urgency we apply to feature and bug fixes, ensuring that we address critical issues promptly and efficiently. 4. **Reduction of Frustration**: By reinforcing these new guidelines, we hope to discourage unproductive behavior from vulnerability hunters who do not wish to engage constructively. This will create a healthier ecosystem for reporting vulnerabilities. **Changes Implemented:** This new policy includes the following key updates: - **Mandatory Proof of Concept (PoC)**: All reports must include a PoC to demonstrate the vulnerability. - **Requirement for Detailed Submissions**: Reports must be comprehensive, reflecting an understanding of the codebase and detailing the vulnerability's impact. - **Option for Confidential Reporting**: Reporters can create private forks to share reports while maintaining confidentiality. - **Structured for Immediate Merging**: Reports meeting the criteria can be merged quickly, similar to PR requests, enhancing our responsiveness to legitimate security issues. **Conclusion:** With these changes, we aim to cultivate a more effective and constructive environment for vulnerability reporting. We hope to channel community efforts into meaningful contributions that enhance the security of our project. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-11 17:49:50 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#8279
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?