Vulnerability Disclosure Policy
HDF5 & Ecosystem
Report a Vulnerability
HDF5 Library: Submit via GitHub Security Advisories
Other HDF Projects: security@hdfgroup.org (PGP key available)
Introduction
The HDF Group’s goal is to make it safe and easy for users to report security issues, allow users to understand how and when they will be addressed, and then disclose the issue on a predictable schedule.
Safe Harbor
We support good-faith security research. We will not pursue legal action against researchers who follow this policy.
We will not pursue legal action against researchers who:
- Report vulnerabilities promptly and do not exploit them beyond proof-of-concept
- Do not perform denial of service attacks against production infrastructure
- Keep vulnerability details confidential until a fix is issued or the disclosure deadline passes
- Act in good faith and follow this policy
What to Include in Your Report
Please provide as much information as possible:
| Information | Description |
|---|---|
| Vulnerability Type | What kind of vulnerability is it? |
| Patch Status | Has the problem been patched? |
| Reproduction Steps | How can we reproduce the issue? Include POC files if available |
| Credit Preference | Would you like public credit? (Default: yes) |
| Additional Info | Any other relevant details |
Response Timeline
Standard Track
| Day | Action |
|---|---|
| Day 0 | Acknowledge report within 3 business days |
| Day 30 | Triage complete: validate, reproduce, plan fix, provide ETA |
| Day 90 | Fix released with security advisory (summary, affected versions, severity, mitigations, patches) |
| Day 120 | Full technical disclosure (root cause, PoC, diffs) |
Accelerated Track
For actively exploited vulnerabilities with credible evidence of exploitation in the wild:
| Day | Action |
|---|---|
| Day 0 | Acknowledge report within 1 business day |
| Day 3 | Triage complete |
| Day 7-10 | Fix released with full security advisory and technical details |
Please allow up to three days of grace period if a fix requires coordination.
Scope
In Scope:
- HDF5 library
- File format specs and validators
- Official plugins/connectors (VOL/VFD)
- HSDS
- HDFView
- Official tools (h5dump, h5stat, etc.)
- Build/packaging artifacts
- Documentation sites
- Distribution channels
Out of Scope:
- Third-party forks
- Community plugins not maintained by The HDF Group
Disclosure
We understand that reporters may wish to disclose issues publicly if they are not seeing movement on their issue. Please give us enough time to follow our security guidelines. If we have not met our own guidelines, then by day 120 you may publicly report the issue.
Coordination & Embargo
We coordinate with major downstreams (Linux distros, HPC vendors, package registries) under brief embargoes consistent with the timelines above. Embargo breaks or active exploitation trigger the 7-day track immediately.
Questions?
Contact security@hdfgroup.org with any questions about this policy.