Security Policy
Reporting a Vulnerability
If you believe you have found a security or privacy issue affecting HDF5
or related ecosystem components, do not open a public GitHub issue.
Instead, please follow the specific product’s security policy (e.g.,
email security contact or use the designated reporting channel).
If you are unsure where to report:
- Contact the SSP SIG maintainers via the repository security contact
(to be defined here once established), or
- Contact HDFG through the official security email listed on the HDF5
project website.
Coordinated Disclosure
The SSP SIG encourages responsible, coordinated disclosure. In general:
- The issue is privately reported to the appropriate maintainers.
- A fix or mitigation is prepared and tested.
- A coordinated advisory and release are prepared.
- Public communication avoids leaking exploitable details before a fix
is available.
Scope
This repository primarily contains governance and guidance documents.
Security vulnerabilities in these documents are unlikely; however:
- If you find sensitive or inappropriate content (e.g., secrets, private
data, or overly detailed exploit instructions), please report it using
the same channels.