Skip to content

Remove ich #8182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nikhil-kalbande wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Remove ich #8182

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ca4aa27
removed reference of ich email id as contact for raising security issues
Apr 29, 2026
eddce5a
Added details about OSE portal
Apr 29, 2026
2b24601
addressed review comments
May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 8 additions & 16 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,13 @@
# Security Policy
## Security Policy

## Supported Versions
### Supported Versions
We provide build scripts for many (thousands) of open source projects, often covering multiple versions per project.

We currently provide build scripts for many (thousands) of open source projects and within those projects many different versions.
Failures related to the upstream projects or their source code should be assessed and reported directly to the corresponding open source community. We do not have the bandwidth to triage, track, or maintain context for issues that originate outside of our build scripts.

Any failures within the packages that we create build scripts for should be assessed and filed with the corresponding open source project -
we do not have the bandwidth to carry additional issues back to those communities or maintain the context behind those failures.
An Open Source Edge (OSE) portal is available at https://open-source-edge.developerfirst.ibm.com/. Please review the portal to identify version-specific SBOMs, licenses, and CVEs for a limited set of packages that are onboarded to the Manage Currency set.

We also are working on a portal which will help identify per-version SBOM, Licenses and CVEs which may be available some time this year.
If you identify a security issue introduced by our build process, please file an issue directly in this GitHub repository. If the vulnerability is publicly disclosed, ensure that the issue is reported against the specific build script directory where the issue exists.

If you see a security issue introduced by the way we build a product, please directly file an issue with that vulunerability (if it is publicly
disclosed) against the specific build script directory that contains the issue. If the issue is sensitive, you can email to:

ich at us dot ibm dot com

## Reporting a Vulnerability

If the vulnerability is reported via a github issue, we will try to get it assigned and looked at as quickly as possible. Given
our agile process model, we look at issues like this typically at the beginning of any two week sprint so you should have some sort of
response within 4 weeks. Anything needed more urgently should be reported via the email link address identified above.
### Reporting a Vulnerability
If a vulnerability is reported via a GitHub issue, we will make a best-effort attempt to triage and assign it as quickly as possible. Given our agile development model, such issues are typically reviewed at the start of a two-week sprint. You should expect an initial response within approximately four weeks.