diff --git a/SECURITY.md b/SECURITY.md index 7230bdd5..153e1968 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,17 +11,21 @@ The Fast-LLM project is currently in a pre-release state. There are no officiall ## Reporting a Vulnerability -To report a security vulnerability in Fast-LLM, please email our [Product Security Incident Response Team (PSIRT)](https://securitylab.servicenow.com) at [disclosure@servicenow.com](mailto:disclosure@servicenow.com). Include a detailed description of the issue, steps to reproduce it, and any relevant information that may help in investigating the matter. +If you find a vulnerability in ServiceNow systems, products, or network infrastructure, our [Responsible Disclosure Program](https://www.servicenow.com/company/trust/privacy/responsible-disclosure.html#our+Commitment) is the place to make a report. +If you find a vulnerability in this open-source project published by the ServiceNow Research team, please email [servicenow-research@servicenow.com](servicenow-research@servicenow.com) to report your findings. + +We will process your report as soon as possible, depending on the severity of your report. We appreciate everyone’s help in disclosing vulnerabilities in a responsible manner. + ## Guidelines -Please follow the guidelines below when [disclosing vulnerabilities](https://www.servicenow.com/company/trust/privacy/responsible-disclosure.html): +Please follow the guidelines below when disclosing vulnerabilities: -- Report any potential security issue as soon as possible. ServiceNow will make every effort to quickly resolve the issue. -- Provide sufficient detail to reproduce the vulnerability, including proof of concept. The use of ReproNow to demonstrate reproducibility is encouraged but not required. -- Please do not disclose an issue to the public or any third party until ServiceNow has resolved it. -- Make a good faith effort to avoid privacy violations, data destruction, and interruption or degradation of our services. Only interact with accounts you own or have explicit permission from the account holder to access. -- Redact any language or images that may identify the program or ServiceNow customers from information about a resolved vulnerability. -- Do not engage in disruptive testing (such as Denial of Service attacks) or any action that could impact the confidentiality, integrity, or availability of information and systems. -- Do not engage in social engineering or phishing against customers or employees. -- Please do not request compensation for time, materials, or discovered vulnerabilities through the Responsible Disclosure Program. +- Report any potential security issue as soon as possible. We will make every effort to quickly resolve the issue. +- Provide sufficient detail to reproduce the vulnerability, including proof of concept. +- Please do not disclose an issue to the public or a third party until ServiceNow has resolved it. +- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or accounts for which you have the explicit permission of the account holder. +- Redact any language or images that may identify the program or ServiceNow customers from information about a fixed vulnerability. +- Do not engage in disruptive testing (such as DoS) or any action that could impact the confidentiality, integrity, or availability of information and systems. +- Do not engage in social engineering or phishing of customers or employees. +- Please do not request compensation for time and materials or discovered vulnerabilities.