Security Policy¶
Reporting a vulnerability¶
If you discover a security issue in this repository (exposed credentials, malicious content in a chapter, or a vulnerability in a documentation build script), please do not open a public issue with exploit details.
Instead:
- Open a GitHub Security Advisory (preferred), or
- Contact the maintainer through a private channel with impact and reproduction steps.
We will acknowledge reports within a reasonable timeframe and coordinate disclosure.
Scope¶
This policy covers the MLSecOps Guide repository — Markdown content, release assets, and any GitHub Actions workflows in this repo.
It does not cover:
- Third-party tools or vendors mentioned in the guide
- AI systems, models, or APIs you deploy using the guide
For vulnerabilities in your production AI systems, maintain your own disclosure policy (see Chapter 11).
Supported versions¶
| Version | Supported |
|---|---|
| v1.1.0 | Yes |
| v1.0.x | Yes — security fixes only; use v1.1.0 for current content |
Older draft tags may not receive updates.
Reader template (optional)¶
Organizations may adapt this outline for model/API disclosure:
Contact: security@example.com
Policy: https://example.com/.well-known/security.txt
Scope: Production inference APIs and published model artifacts
Out of scope: Third-party tools listed in the guide (report to vendors directly)