The Substra team and community take security issues very seriously.

We appreciate your efforts to responsibly disclose your findings and we will make our best to acknowledge your contributions.

Note: Please do not report security vulnerabilities through public Github issues.

To report a securty issue, please send an email at security@substra.ai including the word "SECURITY" in the subject line.

The Substra team will get back to you as soon as possible with the next steps in handling your report. After this initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Please include as much information as you can to help us better understand the nature and scope of the possible issue (type of issue, full paths of source files, configurations, step-by-step instruction to reproduce, proof-of-concept, impact of the issue, including how an attacker might exploit the issue/attack scenario, etc.). This information will help us triage your report as fast as possible.

Please report any security bugs in third-party projects to the person or team developing that project.

Please note that the Substra might use Github Security Advisories to disclose, fix and publish information about the vulnerability you responsibly reported to us.

We prefer all communications to be in English.

Please open a Pull Request or an Issue if you would like to discuss any changes to this policy.