security policy: take 1

[sidhpurwala-huzaifa]

Working on a new updated security policy for the project.

Most of the things were unsaid, like issue triage and security sevs, so documented them. Also added an initial version of a pre-notification policy.

[gemini-code-assist]

Code Review

This pull request significantly expands the project's security policy, adding important details on issue triage, severity levels, and a pre-notification process. The changes improve clarity for both users and contributors on how security issues are handled. My review focuses on ensuring the language in this formal document is clear, correct, and professional. I've pointed out a few grammatical and spelling issues that should be addressed to maintain the document's quality.

[github-actions]

👋 Hi! Thank you for contributing to the vLLM project.

💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels.

Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run fastcheck CI which starts running only a small and essential subset of CI tests to quickly catch errors. You can run other CI tests on top of those by going to your fastcheck build on Buildkite UI (linked in the PR checks section) and unblock them. If you do not have permission to unblock, ping simon-mo or khluu to add you in our Buildkite org.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can either: Add ready label to the PR or enable auto-merge.

🚀

[russellb]

minor thing - can you add Signed-off-by to your commit messages? That's required to make the DCO bot happy.

[russellb]

In general, this is great. I support the addition of the prenotification policy, allowing trusted parties that ship vllm to participate in a coordinated release. My suggestions are fairly minor, I think.

[russellb]

One last suggestion - how about a link from https://docs.vllm.ai/en/latest/contributing/vulnerability_management.html back to SECURITY.md? You can find it in the docs/ directory

[sidhpurwala-huzaifa]

One last suggestion - how about a link from https://docs.vllm.ai/en/latest/contributing/vulnerability_management.html back to SECURITY.md? You can find it in the docs/ directory

Hmm, i can see already the following line in the vuln management page:
"As mentioned in the security policy, security vulnerabilities may be reported privately to the project via GitHub."

Also, it seems like there may be a need to "consolidate" the vuln disclosure section of the page a bit, inline with the pre-notification policy. How about we commit the security policy first and then review how this page can be changed to be in sync with the policy?

[russellb]

One last suggestion - how about a link from https://docs.vllm.ai/en/latest/contributing/vulnerability_management.html back to SECURITY.md? You can find it in the docs/ directory

Hmm, i can see already the following line in the vuln management page: "As mentioned in the security policy, security vulnerabilities may be reported privately to the project via GitHub."

Also, it seems like there may be a need to "consolidate" the vuln disclosure section of the page a bit, inline with the pre-notification policy. How about we commit the security policy first and then review how this page can be changed to be in sync with the policy?

sounds good. I missed the link, sorry.

[russellb]

LGTM, but @simon-mo should review, as well.

Thanks!

[sidhpurwala-huzaifa]

@simon-mo hey, could you look at this MR and see if it makes sense to you?