apunkt/trustgraph
1
0
Fork 0
mirror of https://github.com/trustgraph-ai/trustgraph.git synced 2026-04-25 00:16:23 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
trustgraph/SECURITY.md

99 lines
3.6 KiB
Markdown
Raw Normal View History

Add security policy (#731)
2026-03-29 19:17:48 +00:00
# Security Policy
TrustGraph is an open-source AI graph processing pipeline. We take security
seriously and appreciate the responsible disclosure of vulnerabilities by the
community.
## Supported Versions
Security updates are only provided for the latest stable release line.
Versions prior to 2.0.0 are end-of-life and will not receive security patches.
| Version | Supported |
| --------- | ------------------ |
| >= 2.0.0 | :white_check_mark: |
| < 2.0.0 | :x: |
If you are running a version older than 2.0.0, we strongly recommend upgrading
to the latest 2.x release before reporting a vulnerability, as the issue may
already be resolved.
## Reporting a Vulnerability
**Please do not report security vulnerabilities through public GitHub issues,
pull requests, or discussions.** Doing so could expose users of TrustGraph to
risk before a fix is available.
Instead, report security vulnerabilities by emailing the TrustGraph security
team directly:
📧 **[info@trustgraph.ai](mailto:info@trustgraph.ai)**
Please include as much of the following information as possible to help us
triage and resolve the issue quickly:
- A clear description of the vulnerability and its potential impact
- The affected component(s) and version(s) of TrustGraph
- Step-by-step instructions to reproduce the issue
- Proof-of-concept code or a minimal reproducing example (if applicable)
- Any suggested mitigations or patches (if you have them)
## What to Expect
After submitting a report, you can expect the following process:
1. **Acknowledgement** — We will acknowledge receipt of your report within
**72 hours**.
2. **Assessment** — We will investigate and assess the severity of the
vulnerability within **7 days** of acknowledgement.
3. **Updates** — We will keep you informed of our progress. If we need
additional information, we will reach out to you directly.
4. **Resolution** — Once a fix is developed and validated, we will coordinate
with you on the disclosure timeline before publishing a patch release.
5. **Credit** — With your permission, we will publicly credit your responsible
disclosure in the release notes accompanying the fix.
## Severity Assessment
We evaluate vulnerabilities using the
[CVSS v3.1](https://www.first.org/cvss/v3-1/) scoring system as a guide:
| Severity | CVSS Score | Target Response Time |
| -------- | ---------- | -------------------- |
| Critical | 9.0 10.0 | 48 hours |
| High | 7.0 8.9 | 7 days |
| Medium | 4.0 6.9 | 30 days |
| Low | 0.1 3.9 | 90 days |
## Scope
The following are in scope for security reports:
- Core TrustGraph Python packages (`trustgraph`, `trustgraph-base`, etc.)
- The TrustGraph REST/graph gateway and processing pipeline components
- Docker and Kubernetes deployment configurations shipped in this repository
- Authentication, authorization, or data isolation issues
The following are **out of scope**:
- Third-party services or infrastructure not maintained by TrustGraph
- Issues in upstream dependencies (please report those to the respective
project maintainers)
- Denial-of-service attacks requiring significant resources
- Social engineering attacks
## Preferred Languages
We prefer all security communications in **English**.
## Policy
TrustGraph follows the principle of
[Coordinated Vulnerability Disclosure (CVD)](https://vuls.cert.org/confluence/display/CVD).
We ask that you give us a reasonable amount of time to investigate and address
a reported vulnerability before any public disclosure.
---
_Last reviewed: March 2026_
Reference in a new issue Copy permalink