Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi, I'd like to suggest that Whisper adopt a security policy that not only allows security researchers to privately report security vulnerabilities in Whisper, but also informs users of common security practices they should consider when using it.
The Security Policy is a GitHub standard document (SECURITY.md) that can be found in the "Security Tab", as you can see in the following image:
This information will benefit:
In this PR I'm sending a draft of the document that I created considering the (very little) context I have from whisper, so feel free to adapt and enhance it the way it better suits you -- I'm also available to make any desired edits. FWI, I've written this considering that:
Regarding how the users should report vulnerabilities, my draft is considering the report vulnerability through security advisory, which is a new GitHub feature that must be activated for the repository. It can be easily and quickly done following this steps:
If you rather use another vehicle to report vulnerability (e.g. sending them through an email or any other platform), let me know and I can submit the change.
Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊