openai
Please add a security policy on how to report security issues
Confirm this is a feature request for the Python library and not the underlying OpenAI API.
- [X] This is a feature request for the Python library
Describe the feature or improvement you're requesting
Please add a security policy to this GitHub repo. I can't find any information on how to report security issues in private. Using the issue tracker would be undesirable as it could zero-day some exploits reported.
Additional context
For example, these issues really should have been reported privately:
- https://github.com/openai/openai-python/issues/1082
- https://github.com/openai/openai-python/issues/1196
Maybe at least consider pointing to https://openai.com/policies/coordinated-vulnerability-disclosure-policy
Hey thanks, this is a good call-out. We'll discuss internally. For now that link should work. For SDK-specific vulns, you can also email [email protected].
What are some places you would expect to find this in a library like this? CONTRIBUTING.md?
What are some places you would expect to find this in a library like this?
CONTRIBUTING.md?
Typically there is a security.md policy file you define as part of the repo. GitHub has some instructions here on how to set that up: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.
Once setup, it'll show up here: https://github.com/openai/openai-python/security. But it would also be benefit to change the issues template to point folks to the security policy to report any vulnerabilities.
Ah, terrific – we'll get that set up next week! Thank you so much @ericwb !