Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

maint: Test "Lint PR" workflow (amannn/action-semantic-pull-request workflow) #2

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

maint: Test "Lint PR" workflow (amannn/action-semantic-pull-request workflow) #2

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 70 additions & 5 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,73 @@
# Security issues
# Security Policy

If you find a security issue and want to responsibly disclose it, please contact the following email addresses:
## Reporting a Vulnerability

Wolf Vollprecht <[email protected]>
QuantStack <[email protected]>
The mamba team takes security issues seriously. We appreciate your efforts to responsibly disclose your findings.

Thanks!
### Reporting Process

1. **DO NOT** open a public issue to report a security vulnerability.
2. Instead, please email your findings to [[email protected]](mailto:[email protected]).
3. Include as much information as possible to help us understand and reproduce the issue:
- A detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any possible mitigations
- Your name/handle if you'd like to be credited

### What to Expect

- You will receive an acknowledgment of your report within 48 hours.
- The team will investigate and provide regular updates about the progress.
- Once the issue is confirmed, we will work on a fix.
- After the fix is released, we will publicly acknowledge the discovery (unless you prefer to remain anonymous).

## Supported Versions

We currently provide security updates for the following versions:

| Version | Supported |
| ------- | ------------------ |
| 1.x.x | :white_check_mark: |
| < 1.0 | :x: |

## Security Best Practices

When using mamba in your projects:

1. Always use the latest stable version
2. Regularly update your dependencies
3. Use trustworthy package sources
4. Follow the principle of least privilege when configuring mamba

## Public Disclosure Process

1. Security issues will be announced via GitHub Security Advisories
2. Critical updates will also be announced on social media
3. CVE IDs will be requested for significant security issues

## Security-Related Configuration

To ensure the secure use of mamba:

- Verify package signatures when available
- Use secure channels for package downloads
- Implement appropriate access controls in your environment

## Bug Bounty Program

Currently, we do not operate a bug bounty program, but we deeply appreciate the work of security researchers who help keep mamba secure.

## Previous Security Issues

For a list of previously disclosed security vulnerabilities, please see our [Security Advisories](https://github.com/mamba-org/mamba/security/advisories) page.

## Code of Conduct

Please note that all security researchers must follow our [Code of Conduct](CODE_OF_CONDUCT.md) when reporting vulnerabilities.

## Contact

For any questions about this security policy:

- Email: [info@quantstack,net](mailto:[email protected])
Loading