mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-09 20:09:02 +02:00
* Update SECURITY.md * Update SECURITY.md * Update SECURITY.md * Update SECURITY.md * Update SECURITY.md * Update SECURITY.md * Update SECURITY.md * Update SECURITY.md * Extend the already-fixed/monitoring rule to public PRs and credit Broaden the rule from "already fixed" to also cover issues already being fixed in the open (e.g. an open pull request), extend the commit-monitoring pattern to PRs, and fold in the credit consequence on provable grounds rather than an unprovable bad-faith claim: a report of an already-public, already-fixed-or-being-fixed issue filed strictly last is a duplicate we cannot distinguish from scraping, so it earns no advisory. Credit belongs to whoever found or fixed it, who forfeits it by disclosing publicly instead of reporting confidentially first — so a public fix earns no advisory and no credit for anyone. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Remove Rule 14 (One Vulnerability Per Report) The one-CVE-per-vulnerability constraint it restated is a CVE Program counting rule, already binding through the "Alignment with the CVE Program" section. Dropping the standalone rule removes the duplication; bundled reports are still split on that basis when they arise. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * security policy: surface "What a Valid Report Gets You" near the top, refresh date Move the "What a Valid Report Gets You" section up to directly under the good-faith reporting section (it leads with what reporters receive, rather than burying it below the rules), and update the last-updated date. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Update SECURITY.md --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>