Add SECURITY.md

[jameslamb]

Description

Contributes to rapidsai/build-planning#281

• adds a SECURITY.md describing how to report security vulnerabilities

Notes for Reviewers

Why not just set this org-wide?

An org-wide default is set at https://github.com/rapidsai/.github/blob/main/SECURITY.md, but adding an actual file in each repo offers a few benefits:

• ensures security policy travels with the repo to forks, clones, mirrors, etc.
• allows per-repo governance over the security policy (via PR review, CODEOWNERS, etc.)

This can be admin-merged

I'll stop CI intentionally after pre-commit runs, to save CI time and resources.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• Documentation

  • Added a security policy file with guidelines for reporting vulnerabilities through designated channels.

• Chores

  • Updated CI/CD workflow configuration and code ownership assignments related to security documentation.

Walkthrough

This PR establishes a security vulnerability reporting process by introducing a SECURITY.md disclosure guide aligned with NVIDIA PSIRT, assigning ops team ownership via CODEOWNERS, and configuring CI workflows to exclude documentation-only changes from triggering unrelated test jobs.

Changes

Security Vulnerability Reporting Setup

Layer / File(s)	Summary
Security disclosure guide SECURITY.md	SECURITY.md provides NVIDIA-focused vulnerability reporting instructions including PSIRT web form, encrypted email, and GitHub private reporting channels, with required report details and disclosure policy reference.
Ops code ownership assignment .github/CODEOWNERS	CODEOWNERS section assigns maintenance responsibility for SECURITY.md to the ops-codeowners team.
CI path exclusions for security documentation .github/workflows/pr.yaml	pr.yaml excludes SECURITY.md from file-change detection across six CI job groups (build_docs, test_cpp, test_java, test_python_wheels, test_rust, test_go) to prevent unnecessary job triggers on documentation updates.

---

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add SECURITY.md' directly and clearly summarizes the main change: adding a new SECURITY.md file for security vulnerability reporting.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of adding SECURITY.md, referencing the associated issue, and providing context for design decisions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/pr.yaml (1)

146-180: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add !SECURITY.md to test_java changed-files exclusions.

test_java is the only targeted group missing this exclusion, so a SECURITY.md-only PR can still trigger Java CI unexpectedly.

Suggested patch

         test_java:
           - '**'
@@
           - '!Dockerfile'
+          - '!SECURITY.md'
           - '!docs/**'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr.yaml around lines 146 - 180, Add the missing
'!SECURITY.md' exclusion to the test_java changed-files list in the GitHub
Actions PR workflow; update the test_java block in .github/workflows/pr.yaml
(the list that currently includes entries like '!.coderabbit.yaml',
'!.github/CODEOWNERS', '!Dockerfile', etc.) to include '!SECURITY.md' so
SECURITY.md-only PRs no longer trigger the Java CI group.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/pr.yaml:
- Around line 146-180: Add the missing '!SECURITY.md' exclusion to the test_java
changed-files list in the GitHub Actions PR workflow; update the test_java block
in .github/workflows/pr.yaml (the list that currently includes entries like
'!.coderabbit.yaml', '!.github/CODEOWNERS', '!Dockerfile', etc.) to include
'!SECURITY.md' so SECURITY.md-only PRs no longer trigger the Java CI group.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6f2c3fe9-757a-4295-9b31-5ab7b10389fe

📥 Commits

Reviewing files that changed from the base of the PR and between caf24ce and fb51d9f.

📒 Files selected for processing (3)

• .github/CODEOWNERS
• .github/workflows/pr.yaml
• SECURITY.md