[Security] Request for a security reporting policy

[ShenaoW]

Hi maintainers,

I believe I may have found a security-related issue in this project. Before sharing any details, I wanted to check whether you have a private vulnerability disclosure channel.

At the moment, I could not find a SECURITY.md policy in the repository. Would you consider adding one, or pointing me to the correct contact method for responsible disclosure?

I’m happy to share the details privately.

Thanks for your time.

[CyCle1024]

Hi maintainers,

I believe I may have found a security-related issue in this project. Before sharing any details, I wanted to check whether you have a private vulnerability disclosure channel.

At the moment, I could not find a SECURITY.md policy in the repository. Would you consider adding one, or pointing me to the correct contact method for responsible disclosure?

I’m happy to share the details privately.

Thanks for your time.

Hi, we are willing to talk about the security-related issue, and for now we do not have any official private vulnerability disclosure channel. You can contact me with email cycle1024@gmail.com and then we can exchange other IM contact information, like wechat.

[ShenaoW]

Hi maintainers,
I believe I may have found a security-related issue in this project. Before sharing any details, I wanted to check whether you have a private vulnerability disclosure channel.
At the moment, I could not find a SECURITY.md policy in the repository. Would you consider adding one, or pointing me to the correct contact method for responsible disclosure?
I’m happy to share the details privately.
Thanks for your time.

Hi, we are willing to talk about the security-related issue, and for now we do not have any official private vulnerability disclosure channel. You can contact me with email cycle1024@gmail.com and then we can exchange other IM contact information, like wechat.

For security and traceability reasons, I would prefer to use GitHub’s private security advisory workflow rather than personal email or chat.

If you’re open to it, could you please enable private vulnerability reporting for the repository?

According to GitHub’s documentation, repository owners/admins of public repositories can enable this in:

Repository → Settings → Security / Advanced Security → Private vulnerability reporting → Enable

GitHub’s docs on enabling it: (https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/configuring-private-vulnerability-reporting-for-a-repository?learn=security_advisories&learnProduct=code-security)

I’m happy to submit the report as soon as that channel is available.

Thanks again.

[CyCle1024]

@ShenaoW We have enabled the GitHub’s private security advisory, see: https://github.com/InternLM/xtuner/security/advisories. Welcome to submit the report.