Skip to content

security: narrow down the scope of what we consider a vulnerability#18752

Merged
ServeurpersoCom merged 2 commits intoggml-org:masterfrom
ngxson:xsn/security_policy_narrow_down
Jan 11, 2026
Merged

security: narrow down the scope of what we consider a vulnerability#18752
ServeurpersoCom merged 2 commits intoggml-org:masterfrom
ngxson:xsn/security_policy_narrow_down

Conversation

@ngxson
Copy link
Copy Markdown
Contributor

@ngxson ngxson commented Jan 11, 2026

Changes in this PR:

  • Narrow down directories covered by the policy, so problems with testing tools / learning examples like (e.g. examples/**) will be considered as general bugs
  • Prohibit reports that are predominantly written by AI
  • Requires a working PoC for each report

@ngxson ngxson requested a review from ggerganov as a code owner January 11, 2026 11:04
@ServeurpersoCom
Copy link
Copy Markdown
Contributor

ServeurpersoCom commented Jan 11, 2026

THANKS !

ServeurpersoCom
ServeurpersoCom approved these changes Jan 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ServeurpersoCom ServeurpersoCom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Clear scope, PoC requirement, and AI restrictions will improve signal-to-noise ratio on security reports.

@ServeurpersoCom ServeurpersoCom merged commit 28068af into ggml-org:master Jan 11, 2026
2 checks passed
ngxson
ngxson commented Jan 11, 2026
View reviewed changes
SECURITY.md
- `src/**/*`
- `ggml/**/*`
- `gguf-py/**/*`
- `tools/server/*` (note: Web UI is not covered)
Copy link
Copy Markdown
Contributor Author

@ngxson ngxson Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to make this a bit more clear, will push a new PR for that. Btw forgot to tell you @ServeurpersoCom but we should wait for @ggerganov approval too (I guess it's fine this time, no worries)

(to Georgi: if you need any modifications, fell free to comment on my next PR)

Copy link
Copy Markdown
Member

@ggerganov ggerganov Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We get many reports about DoS (Denial-of-Service) where certain input crashes the server for example - I don't think these vulnerabilities are significant for the project at this stage, so we should add a separate point to treat these as bugs instead of vulnerabilities.

Copy link
Copy Markdown
Contributor Author

@ngxson ngxson Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I added your point in #18754

Copy link
Copy Markdown
Contributor

@ServeurpersoCom ServeurpersoCom Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Absolutely, even if some DoS attacks have the potential to escalate, if they are fixed beforehand it poses no problem

gary149 pushed a commit to gary149/llama-agent that referenced this pull request Jan 13, 2026
@ngxson @gary149
security: narrow down the scope of what we consider a vulnerability (g…
ecfb830 
…gml-org#18752)

* security: narrow down the scope of what we consider a vulnerability

* fix typo
dillon-blake pushed a commit to Boxed-Logic/llama.cpp that referenced this pull request Jan 15, 2026
@ngxson @dillon-blake
security: narrow down the scope of what we consider a vulnerability (g…
99bd8d4 
…gml-org#18752)

* security: narrow down the scope of what we consider a vulnerability

* fix typo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ServeurpersoCom ServeurpersoCom ServeurpersoCom approved these changes

@ggerganov ggerganov Awaiting requested review from ggerganov ggerganov is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ngxson @ServeurpersoCom @ggerganov