|
|
@@ -4,10 +4,11 @@ Our primary goal is to ensure the protection and confidentiality of sensitive da
|
|
|
|
|
|
## Supported Versions
|
|
|
|
|
|
-| Version | Supported |
|
|
|
-| ------- | ------------------ |
|
|
|
-| main | :white_check_mark: |
|
|
|
-| others | :x: |
|
|
|
+| Version (Branch) | Supported |
|
|
|
+| ---------------- | ------------------ |
|
|
|
+| main | :white_check_mark: |
|
|
|
+| dev | :x: |
|
|
|
+| others | :x: |
|
|
|
|
|
|
## Zero Tolerance for External Platforms
|
|
|
|
|
|
@@ -17,7 +18,7 @@ Any reports or solicitations arriving from sources other than our designated Git
|
|
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
|
|
-We appreciate the community's interest in identifying potential vulnerabilities. However, effective immediately, we will **not** accept low-effort vulnerability reports. To ensure that submissions are constructive and actionable, please adhere to the following guidelines:
|
|
|
+We appreciate the community's interest in identifying potential vulnerabilities. However, effective immediately, we will **not** accept low-effort vulnerability reports. Ensure that **submissions are constructive, actionable, reproducible, well documented and adhere to the following guidelines**:
|
|
|
|
|
|
Reports not submitted through our designated GitHub repository will be disregarded, and we will categorically reject invitations to collaborate on external platforms. Our aggressive stance on this matter underscores our commitment to a secure, transparent, and open community where all operations are visible and contributors are accountable.
|
|
|
|
|
|
@@ -25,13 +26,26 @@ Reports not submitted through our designated GitHub repository will be disregard
|
|
|
|
|
|
2. **In-Depth Understanding Required**: Reports must reflect a clear understanding of the codebase and provide specific details about the vulnerability, including the affected components and potential impacts.
|
|
|
|
|
|
-3. **Proof of Concept (PoC) is Mandatory**: Each submission must include a well-documented proof of concept (PoC) that demonstrates the vulnerability. If confidentiality is a concern, reporters are encouraged to create a private fork of the repository and share access with the maintainers. Reports lacking valid evidence will be disregarded.
|
|
|
+3. **Proof of Concept (PoC) is Mandatory**: Each submission must include a well-documented proof of concept (PoC) that demonstrates the vulnerability. If confidentiality is a concern, reporters are encouraged to create a private fork of the repository and share access with the maintainers. Reports lacking valid evidence may be disregarded.
|
|
|
|
|
|
-4. **Required Patch Submission**: Along with the PoC, reporters must provide a patch or actionable steps to remediate the identified vulnerability. This helps us evaluate and implement fixes rapidly.
|
|
|
+4. **Required Patch or Actionable Remediation Plan Submission**: Along with the PoC, reporters must provide a patch or actionable steps to remediate the identified vulnerability. This helps us evaluate and implement fixes rapidly.
|
|
|
|
|
|
5. **Streamlined Merging Process**: When vulnerability reports meet the above criteria, we can consider them for immediate merging, similar to regular pull requests. Well-structured and thorough submissions will expedite the process of enhancing our security.
|
|
|
|
|
|
-**Non-compliant submissions will be closed, and repeat violators may be banned.** Our goal is to foster a constructive reporting environment where quality submissions promote better security for all users.
|
|
|
+6. **Default Configuration Testing**: All vulnerability reports MUST be tested and reproducible using Open WebUI's out-of-the-box default configuration. Claims of vulnerabilities that only manifest with explicitly weakened security settings may not be considered valid vulnerability reports.
|
|
|
+
|
|
|
+> [!NOTE]
|
|
|
+> **Note**: If you believe you have found a security issue that
|
|
|
+> 1) affects default configurations **or**
|
|
|
+> 2) represents a genuine bypass of intended security controls **or**
|
|
|
+> 3) works only with non-default configurations **but** the configuration in question is likely to be used by production deployments
|
|
|
+> **then we absolutely want to hear about it.** This policy is intended to filter configuration issues and deployment problems, not to discourage legitimate security research.
|
|
|
+
|
|
|
+7. **Threat Model Understanding Required**: Reports must demonstrate understanding of Open WebUI's self-hosted, authenticated, role-based access control architecture. Comparing Open WebUI to services with fundamentally different security models without acknowledging the architectural differences may result in report rejection.
|
|
|
+
|
|
|
+**Non-compliant submissions will be closed, and repeat extreme violators may be banned.** Our goal is to foster a constructive reporting environment where quality submissions promote better security for all users.
|
|
|
+
|
|
|
+If you want to report a vulnerability and can meet all outlines requirements, [open a vulnerability report here](https://github.com/open-webui/open-webui/security/advisories/new).
|
|
|
|
|
|
## Product Security
|
|
|
|
|
|
@@ -41,4 +55,4 @@ For immediate concerns or detailed reports that meet our guidelines, please crea
|
|
|
|
|
|
---
|
|
|
|
|
|
-_Last updated on **2024-08-19**._
|
|
|
+_Last updated on **2025-10-09**._
|
Classic298