diff --git a/README.md b/README.md index 52df2720..94cb4ddc 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ -[![PyPI version](https://img.shields.io/pypi/v/trustgraph.svg)](https://pypi.org/project/trustgraph/) ![E2E Tests](https://github.com/trustgraph-ai/trustgraph/actions/workflows/release.yaml/badge.svg) +[![PyPI version](https://img.shields.io/pypi/v/trustgraph.svg)](https://pypi.org/project/trustgraph/) [![License](https://img.shields.io/github/license/trustgraph-ai/trustgraph?color=blue)](LICENSE) ![E2E Tests](https://github.com/trustgraph-ai/trustgraph/actions/workflows/release.yaml/badge.svg) [![Discord](https://img.shields.io/discord/1251652173201149994 )](https://discord.gg/sQMwkRz5GX) [![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/trustgraph-ai/trustgraph) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..a7093091 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,98 @@ +# Security Policy + +TrustGraph is an open-source AI graph processing pipeline. We take security +seriously and appreciate the responsible disclosure of vulnerabilities by the +community. + +## Supported Versions + +Security updates are only provided for the latest stable release line. +Versions prior to 2.0.0 are end-of-life and will not receive security patches. + +| Version | Supported | +| --------- | ------------------ | +| >= 2.0.0 | :white_check_mark: | +| < 2.0.0 | :x: | + +If you are running a version older than 2.0.0, we strongly recommend upgrading +to the latest 2.x release before reporting a vulnerability, as the issue may +already be resolved. + +## Reporting a Vulnerability + +**Please do not report security vulnerabilities through public GitHub issues, +pull requests, or discussions.** Doing so could expose users of TrustGraph to +risk before a fix is available. + +Instead, report security vulnerabilities by emailing the TrustGraph security +team directly: + +📧 **[info@trustgraph.ai](mailto:info@trustgraph.ai)** + +Please include as much of the following information as possible to help us +triage and resolve the issue quickly: + +- A clear description of the vulnerability and its potential impact +- The affected component(s) and version(s) of TrustGraph +- Step-by-step instructions to reproduce the issue +- Proof-of-concept code or a minimal reproducing example (if applicable) +- Any suggested mitigations or patches (if you have them) + +## What to Expect + +After submitting a report, you can expect the following process: + +1. **Acknowledgement** — We will acknowledge receipt of your report within + **72 hours**. +2. **Assessment** — We will investigate and assess the severity of the + vulnerability within **7 days** of acknowledgement. +3. **Updates** — We will keep you informed of our progress. If we need + additional information, we will reach out to you directly. +4. **Resolution** — Once a fix is developed and validated, we will coordinate + with you on the disclosure timeline before publishing a patch release. +5. **Credit** — With your permission, we will publicly credit your responsible + disclosure in the release notes accompanying the fix. + +## Severity Assessment + +We evaluate vulnerabilities using the +[CVSS v3.1](https://www.first.org/cvss/v3-1/) scoring system as a guide: + +| Severity | CVSS Score | Target Response Time | +| -------- | ---------- | -------------------- | +| Critical | 9.0 – 10.0 | 48 hours | +| High | 7.0 – 8.9 | 7 days | +| Medium | 4.0 – 6.9 | 30 days | +| Low | 0.1 – 3.9 | 90 days | + +## Scope + +The following are in scope for security reports: + +- Core TrustGraph Python packages (`trustgraph`, `trustgraph-base`, etc.) +- The TrustGraph REST/graph gateway and processing pipeline components +- Docker and Kubernetes deployment configurations shipped in this repository +- Authentication, authorization, or data isolation issues + +The following are **out of scope**: + +- Third-party services or infrastructure not maintained by TrustGraph +- Issues in upstream dependencies (please report those to the respective + project maintainers) +- Denial-of-service attacks requiring significant resources +- Social engineering attacks + +## Preferred Languages + +We prefer all security communications in **English**. + +## Policy + +TrustGraph follows the principle of +[Coordinated Vulnerability Disclosure (CVD)](https://vuls.cert.org/confluence/display/CVD). +We ask that you give us a reasonable amount of time to investigate and address +a reported vulnerability before any public disclosure. + +--- + +_Last reviewed: March 2026_