Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set a security policy #2142

Merged
merged 2 commits into from
Nov 14, 2023
Merged

Set a security policy #2142

merged 2 commits into from
Nov 14, 2023

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Nov 13, 2023

What does this PR do?

Fixes #2141

This PR sets a simple security policy for Keras CV. It is almost identical to the one used by keras-team/keras.

It currently offers two avenues to report vulnerabilities:

  • an email (currently just a placeholder!)
  • GitHub's private reporting feature

If you'd rather just use one of these, let me know and I'll modify the policy. Or, if you think /tf-keras's Tensorflow-based policy is a better fit, I can use it here as well. (I admit I'm not 100% sure which repos are still tied to TF and which aren't...)

Before submitting

  • This PR fixes a typo or improves the docs (you can dismiss the other checks if that's the case).
  • Did you read the contributor guideline,
    Pull Request section?
  • Was this discussed/approved via a Github issue? Please add a link
    to it if that's the case.
  • Did you write any new necessary tests?
  • If this adds a new model, can you run a few training steps on TPU in Colab to ensure that no XLA incompatible OP are used?

Who can review?

@divyashreepathihalli, @sampathweb (from the template)

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
You may submit the report in the following ways:

- send an email to ???@???; and/or
- send a [private vulnerability report](https://github.com/keras-team/keras-cv/security/advisories/new)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would actually just vote for just this latter option here. Seems simpler, and that we don't have to maintain a separate email address for this.

Is there a downside?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pnacht as to the question about the right mental model for keras-cv and keras-nlp, they can be thought of as equivalent to keras-team/keras at least from this perspective. Maintained by the Keras team directly, supporting TF but not under the TF umbrella for maintenance/contribution.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would actually just vote for just this latter option here. Seems simpler, and that we don't have to maintain a separate email address for this.

Is there a downside?

Done. And nope, no downside. Just remember to actually enable the advisories in the repo Settings > "Code security & analysis"!

@pnacht as to the question about the right mental model for keras-cv and keras-nlp, they can be thought of as equivalent to keras-team/keras at least from this perspective. Maintained by the Keras team directly, supporting TF but not under the TF umbrella for maintenance/contribution.

Gotcha. Thanks for the info.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enabled the reporting now. Thanks!

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
@mattdangerw
Copy link
Member

@pnacht can you make a sibling PR for keras-nlp? Thank you!

@mattdangerw mattdangerw merged commit cbd34f0 into keras-team:master Nov 14, 2023
6 of 9 checks passed
divyashreepathihalli added a commit that referenced this pull request Nov 14, 2023
* Set a security policy (#2142)

* Add security policy

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Only use private vuln report

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* add Random ops shim (#2145)

* add Random ops shim

* update random opss

* handle None case

* change seed handeling

* undo changes

* undo changes

* undo

* update int_seed

* change int to init

* update init_seed everywhere

* add kwargs

* undo bial

* code reformat

* remove dtype

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Co-authored-by: Pedro Kaj Kjellerup Nacht <[email protected]>
yuvraj-wale pushed a commit to yuvraj-wale/keras-cv that referenced this pull request Feb 8, 2024
* Add security policy

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Only use private vuln report

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add a security policy
2 participants