security-policy: surface "What a Valid Report Gets You" near the top

Move it up to directly under the good-faith reporting section, mirroring the
open-webui SECURITY.md change so the policy leads with what reporters receive
instead of burying it below the guidelines.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Classic298
2026-06-13 16:24:06 +02:00
parent b5e44ea3fd
commit 5158a2157e
+10 -10
View File
@@ -44,6 +44,16 @@ If you have found something that you know is **not strictly a vulnerability unde
In line with the CVE rules, we will **not** publish an advisory or mint a CVE for these, but we **will** act on them (for example, ship the bump) and keep the report confidential until it is handled. <ins>**Where a fix lands as a result of your report and you would like credit, we will try to acknowledge you (for example, as a co-author on the change).**</ins>
## What a Valid Report Gets You
If your report describes a real vulnerability under this policy, here is what you can expect from us:
- **Credit on the advisory.** You are named as the reporter on the published advisory. Where multiple reporters each demonstrated a distinct vector, every one of you is credited (see [Report Handling](#report-handling)).
- **Coordinated disclosure.** We will not publish out from under you while you are still working the issue with us. Status moves visibly on the advisory itself — including the CVE request — and GitHub notifies you of those updates, so you can follow it through to publication.
- **A real fix, handled responsibly.** For findings with broad or severe real-world impact, we may hold publication for up to roughly two weeks after the patched release so administrators can update before details are public.
We are a small volunteer team, so what we **cannot** offer is a bounty or a guaranteed turnaround. What you get is a serious fix, honest credit, and a process that treats your work as the contribution it is.
## Alignment with the CVE Program
The **CVE Program rules** (and CNA operational rules) are the **baseline** for all CVE handling here, and this policy operates within them. Under those rules, the determination of whether a report constitutes a security vulnerability in Open WebUI is the vendor's to make; this policy documents the criteria by which we exercise that determination. Where the rules are silent, they still apply; where this policy specifies how we apply them to Open WebUI, it does so as the vendor's published disposition criteria, not as a replacement for or exception to the program rules.
@@ -115,16 +125,6 @@ We appreciate the community's interest in identifying potential vulnerabilities.
Non-compliant submissions may be closed, and repeat or extreme violators may be banned. Our goal is to foster a constructive reporting environment where quality submissions promote better security for all users.
## What a Valid Report Gets You
If your report describes a real vulnerability under this policy, here is what you can expect from us:
- **Credit on the advisory.** You are named as the reporter on the published advisory. Where multiple reporters each demonstrated a distinct vector, every one of you is credited (see [Report Handling](#report-handling)).
- **Coordinated disclosure.** We will not publish out from under you while you are still working the issue with us. Status moves visibly on the advisory itself — including the CVE request — and GitHub notifies you of those updates, so you can follow it through to publication.
- **A real fix, handled responsibly.** For findings with broad or severe real-world impact, we may hold publication for up to roughly two weeks after the patched release so administrators can update before details are public.
We are a small volunteer team, so what we **cannot** offer is a bounty or a guaranteed turnaround. What you get is a serious fix, honest credit, and a process that treats your work as the contribution it is.
## Expected Timeframe
We aim to triage new reports, ship fixes, and publish advisories promptly. However, due to the very high volume of incoming vulnerability reports, issues, discussions, pull requests, and general project maintenance — lately compounded by a high number of (AI-generated) reports (see [AI Report Transparency](#reporting-guidelines)) — our capacity to respond is limited. Open WebUI is a community-driven project maintained by a small team, and security reports are handled alongside all other project responsibilities.