This policy applies to all repositories under the Lablup GitHub organization, unless a specific repository defines its own SECURITY.md that overrides it.

If you believe you have found a security vulnerability in any Lablup project, please report it to us privately. Do not open a public GitHub issue, pull request, or discussion thread about the issue.

Send your report by email to: [email protected]

To help us triage your report quickly, please include as much of the following as you can:

• The affected project, repository, version, and/or commit hash.
• A description of the vulnerability and its potential impact.
• Step-by-step instructions to reproduce the issue, including any proof-of-concept code, configurations, or sample inputs.
• Your name and affiliation (if any), and how you would like to be credited if the issue is disclosed.

We will acknowledge receipt of your report and work with you to understand and validate the issue. We may contact you for additional information during the investigation.

By submitting a report, you agree to the following non-disclosure terms:

1. Confidentiality. You will keep the existence and details of the reported vulnerability — including any information you obtained while investigating it — strictly confidential until Lablup has investigated, remediated, and publicly disclosed the issue, or has otherwise given you written permission to disclose.
2. No public disclosure. You will not publish, present, share, or otherwise disclose the vulnerability or any related information to any third party, including through blog posts, social media, conferences, mailing lists, or vulnerability databases, prior to receiving written authorization from Lablup.
3. Coordinated disclosure. Lablup follows a coordinated disclosure process. We will work with you in good faith to agree on a reasonable disclosure timeline once a fix is available. We will credit reporters who follow this policy in our advisories, unless you ask to remain anonymous.
4. No exploitation. You will not exploit the vulnerability beyond what is strictly necessary to demonstrate the issue, and you will not access, modify, exfiltrate, or destroy any data that does not belong to you. You will not use the vulnerability to harm Lablup, its users, its customers, or any third party.
5. Compliance with law. All research and reporting activities must comply with applicable laws and regulations.

Researchers who report vulnerabilities in good faith and comply with this policy will not be subject to legal action by Lablup for their research and reporting activities related to the reported issue.

This policy covers source code, configurations, and artifacts published in repositories under the lablup GitHub organization. It does not cover:

• Third-party services, dependencies, or infrastructure that Lablup does not own or operate.
• Issues that are already publicly known or that have already been reported.
• Social engineering, physical attacks, and denial-of-service testing against Lablup or its users.

For issues outside the scope of this policy, please contact the responsible vendor directly.

For any questions about this policy, please contact [email protected].