Skip to content

Commit 943cd7a

Browse files
committed
chore(security): add SECURITY.md for coordinated vulnerability disclosure
CrewAI currently has no SECURITY.md, which means GitHub does not show the 'Report a vulnerability' shortcut on the repo's Security tab and researchers have no documented private channel. For a 28k-star project that ships into production agent stacks, having a documented disclosure path is table stakes. This adds a minimal, opinionated SECURITY.md that: - Points reporters at GitHub's private vulnerability reporting - Lists what makes a good report (component, version, repro, impact) - Describes a standard coordinated-disclosure flow via GHSA - Clarifies what is out of scope (user prompts, upstream LLM provider outages, third-party tools) Intentionally avoids hard response-time SLAs so maintainers can adjust to capacity. No code paths, no public API, single new file.
1 parent 2eb4e3a commit 943cd7a

1 file changed

Lines changed: 52 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
# Security Policy
2+
3+
Thanks for helping keep CrewAI and its users safe.
4+
5+
## Reporting a Vulnerability
6+
7+
**Please do not open public GitHub issues for security vulnerabilities in CrewAI.**
8+
9+
To report a security issue, use GitHub's private vulnerability reporting feature:
10+
11+
1. Go to <https://github.com/crewAIInc/crewAI/security/advisories/new>
12+
2. Provide a clear description, affected version(s), and reproduction steps.
13+
14+
A maintainer will respond to triage the report. If you cannot use GitHub's
15+
private reporting, please contact the maintainers via the channels listed
16+
in the project [README](README.md).
17+
18+
### What to include
19+
20+
A good report typically contains:
21+
22+
- The affected component(s) (e.g. `crewai.tools`, `crewai.agent`)
23+
- The CrewAI version(s) affected
24+
- A clear description of the impact
25+
- A minimal reproduction (PoC) or detailed steps
26+
- Any suggested mitigation
27+
28+
### Disclosure process
29+
30+
We follow a coordinated-disclosure model:
31+
32+
1. The report is confirmed and the issue reproduced.
33+
2. A fix is developed and reviewed privately (typically via a [GitHub Security Advisory](https://github.com/crewAIInc/crewAI/security/advisories)).
34+
3. A release date is coordinated with the reporter.
35+
4. A patched release is published and the advisory is disclosed, crediting the
36+
reporter unless anonymity is requested.
37+
38+
### Out of scope
39+
40+
The following are generally **not** considered security vulnerabilities in
41+
CrewAI itself:
42+
43+
- Issues caused entirely by user-provided LLM prompts or tool implementations
44+
- Rate limits or availability issues from upstream LLM providers
45+
- Misconfiguration of credentials passed to `LLM(...)` or environment variables
46+
- Security issues in third-party tools loaded into CrewAI; please report those
47+
to the tool's upstream maintainers
48+
49+
## Supported Versions
50+
51+
Security fixes are provided for the most recent release of CrewAI on `main`.
52+
Older releases may receive critical fixes at the maintainers' discretion.

0 commit comments

Comments
 (0)