File size: 1,480 Bytes
611d0a1 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
# Security Policy
## Reporting a Vulnerability
### Types of Security Issues
We actively monitor:
- Code vulnerabilities (RCE, XSS, authentication bypass)
- Dependency risks (critical vulnerabilities in project dependencies, such as requirements.txt, pyproject.toml, or equivalent files)
- Configuration flaws (insecure defaults in deployment scripts)
### Disclosure Channels (Choose one):
1. **Encrypted Email**
Contact: `wangfeng19950315@163.com`
*Subject format: `[SECURITY] ModuleName - Brief Description`*
2. **GitHub Private Report**
Use GitHub's ["Report a vulnerability"](https://github.com/Megvii-BaseDetection/YOLOX/security/advisories) feature
3. **Reporting Security Issues**
Please report security issues using Create new issue: https://github.com/Megvii-BaseDetection/YOLOX/issues/new
## Response Process
1. **Acknowledgement**
- Initial response within **48 business hours**
2. **Assessment**
- Triage using CVSS v3.1 scoring
3. **Remediation**
- Critical (CVSS ≥9.0): Patch within **7 days**
- High (CVSS 7-8.9): Patch within **30 days**
4. **Public Disclosure**
- Published via [GitHub Advisories](https://github.com/Megvii-BaseDetection/YOLOX/security/advisories)
- CVE assignment coordinated with [MITRE](https://cveform.mitre.org)
## Secure Development Practices
- Always verify hashes when downloading dependencies:
```bash
sha256sum -c <your-dependency-hash-file>
```
|