feat: add a security policy for Haystack (#3130)

* add the security policy * Apply suggestions from code review Co-authored-by: Agnieszka Marzec <97166305+agnieszka-m@users.noreply.github.com> * include review feedback Co-authored-by: Agnieszka Marzec <97166305+agnieszka-m@users.noreply.github.com>
2025-06-26 22:00:13 +00:00 · 2022-09-02 12:00:14 +02:00 · 2022-09-02 12:00:14 +02:00 · b07fcb7185
commit b07fcb7185
parent d4722c2ec5
1 changed files with 26 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,26 @@
+# Security Policy
+
+## Report a Vulnerability
+
+If you found a security vulnerability in Haystack, send a message to
+[security@deepset.ai](mailto:security@deepset.ai).
+
+In your message, please include:
+
+1. Reproducible steps to trigger the vulnerability.
+2. An explanation of what makes you think there is a vulnerability.
+3. Any information you may have on active exploitations of the vulnerability (zero-day).
+
+## Vulnerability Response
+
+We'll review your report within 5 business days and we will do a preliminary analysis
+to confirm that the vulnerability is plausible. Otherwise, we'll decline the report.
+
+We won't disclose any information you share with us but we'll use it to get the issue
+fixed or to coordinate a vendor response, as needed.
+
+We'll keep you updated of the status of the issue.
+
+Our goal is to disclose bugs as soon as possible once a user mitigation is available.
+Once we get a good understanding of the vulnerability, we'll set a disclosure date after
+consulting the author of the report and Haystack maintainers.