apunkt/trustgraph
1
0
Fork 0
mirror of https://github.com/trustgraph-ai/trustgraph.git synced 2026-04-26 00:46:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
trustgraph/SECURITY.md
cybermaggedon 687a9e08fe
master -> release/v2.2 (#732)
2026-03-29 20:26:26 +01:00

98 lines
3.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Security Policy
TrustGraph is an open-source AI graph processing pipeline. We take security
seriously and appreciate the responsible disclosure of vulnerabilities by the
community.
## Supported Versions
Security updates are only provided for the latest stable release line.
Versions prior to 2.0.0 are end-of-life and will not receive security patches.
| Version | Supported |
| --------- | ------------------ |
| >= 2.0.0 | :white_check_mark: |
| < 2.0.0 | :x: |
If you are running a version older than 2.0.0, we strongly recommend upgrading
to the latest 2.x release before reporting a vulnerability, as the issue may
already be resolved.
## Reporting a Vulnerability
**Please do not report security vulnerabilities through public GitHub issues,
pull requests, or discussions.** Doing so could expose users of TrustGraph to
risk before a fix is available.
Instead, report security vulnerabilities by emailing the TrustGraph security
team directly:
📧 **[info@trustgraph.ai](mailto:info@trustgraph.ai)**
Please include as much of the following information as possible to help us
triage and resolve the issue quickly:
- A clear description of the vulnerability and its potential impact
- The affected component(s) and version(s) of TrustGraph
- Step-by-step instructions to reproduce the issue
- Proof-of-concept code or a minimal reproducing example (if applicable)
- Any suggested mitigations or patches (if you have them)
## What to Expect
After submitting a report, you can expect the following process:
1. **Acknowledgement** We will acknowledge receipt of your report within
**72 hours**.
2. **Assessment** We will investigate and assess the severity of the
vulnerability within **7 days** of acknowledgement.
3. **Updates** We will keep you informed of our progress. If we need
additional information, we will reach out to you directly.
4. **Resolution** Once a fix is developed and validated, we will coordinate
with you on the disclosure timeline before publishing a patch release.
5. **Credit** With your permission, we will publicly credit your responsible
disclosure in the release notes accompanying the fix.
## Severity Assessment
We evaluate vulnerabilities using the
[CVSS v3.1](https://www.first.org/cvss/v3-1/) scoring system as a guide:
| Severity | CVSS Score | Target Response Time |
| -------- | ---------- | -------------------- |
| Critical | 9.0 10.0 | 48 hours |
| High | 7.0 8.9 | 7 days |
| Medium | 4.0 6.9 | 30 days |
| Low | 0.1 3.9 | 90 days |
## Scope
The following are in scope for security reports:
- Core TrustGraph Python packages (`trustgraph`, `trustgraph-base`, etc.)
- The TrustGraph REST/graph gateway and processing pipeline components
- Docker and Kubernetes deployment configurations shipped in this repository
- Authentication, authorization, or data isolation issues
The following are **out of scope**:
- Third-party services or infrastructure not maintained by TrustGraph
- Issues in upstream dependencies (please report those to the respective
project maintainers)
- Denial-of-service attacks requiring significant resources
- Social engineering attacks
## Preferred Languages
We prefer all security communications in **English**.
## Policy
TrustGraph follows the principle of
[Coordinated Vulnerability Disclosure (CVD)](https://vuls.cert.org/confluence/display/CVD).
We ask that you give us a reasonable amount of time to investigate and address
a reported vulnerability before any public disclosure.
---
_Last reviewed: March 2026_
Reference in a new issue View git blame Copy permalink