Skip to content

Add SECURITY.md#342

Open
jolorunyomi wants to merge 1 commit into
mainfrom
security/add-security-md
Open

Add SECURITY.md#342
jolorunyomi wants to merge 1 commit into
mainfrom
security/add-security-md

Conversation

@jolorunyomi
Copy link
Copy Markdown

@jolorunyomi jolorunyomi commented May 13, 2026

This PR adds a SECURITY.md file to the repository, outlining the security policies and procedures for reporting vulnerabilities. This is part of our effort to enhance the security posture of our projects and ensure that we have a clear process for handling security issues.

@jolorunyomi jolorunyomi requested a review from a team as a code owner May 13, 2026 01:37
bdice
bdice reviewed May 13, 2026
View reviewed changes
Comment thread SECURITY.md
# Security Policy

`velox-testing` is the CI / build / benchmark infrastructure used to test the
RAPIDS GPU integrations with Apache Velox, PrestoDB native (with the Velox
Copy link
Copy Markdown
Contributor

@bdice bdice May 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Velox is not an Apache project.

Suggested change
RAPIDS GPU integrations with Apache Velox, PrestoDB native (with the Velox
RAPIDS GPU integrations with Velox, PrestoDB native (with the Velox

More broadly, can we please shrink this document? There are many specific details about the current contents of the repo that may change (scope, included projects, tooling, dependencies, etc.). I would like our security document to be evergreen.

bdice
bdice requested changes May 13, 2026
View reviewed changes
Comment thread SECURITY.md

- **Compute-sanitizer outputs are treated as pre-disclosure.**
Findings produced by `velox-compute-sanitizer-run.yaml` may
represent undisclosed memory-safety bugs. Logs, artifacts, and
Copy link
Copy Markdown
Contributor

@bdice bdice May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's delete this section.

We will continue running compute-sanitizer in our publicly visible CI so that we can catch and fix bugs. Hiding logs is not a real answer to that.

Comment thread SECURITY.md

- **Upstream sources are pinned per build.**
Builds should consume specific commits of Velox, Presto, and
Spark Gluten — not floating branches — so that a compromised
Copy link
Copy Markdown
Contributor

@bdice bdice May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's delete this section.

We run nightly again main of upstream repos. This is by design. Pinning is not the goal here.

Comment thread SECURITY.md
## Supported Versions

velox-testing follows a rolling-`main` model with periodic staging
branches created by `scripts/create_staging_branch.sh`. Security fixes
Copy link
Copy Markdown
Contributor

@bdice bdice May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't actually do anything with staging today. This "Supported Versions" section can be removed (nothing from this repo has stability or long-term support).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bdice bdice bdice requested changes

@paul-aiyedun paul-aiyedun paul-aiyedun approved these changes

+1 more reviewer

@msarahan msarahan msarahan approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jolorunyomi @msarahan @bdice @paul-aiyedun