Please add a security policy on how to report security issues

[ericwb]

Confirm this is a feature request for the Python library and not the underlying OpenAI API.

• This is a feature request for the Python library

Describe the feature or improvement you're requesting

Please add a security policy to this GitHub repo. I can't find any information on how to report security issues in private. Using the issue tracker would be undesirable as it could zero-day some exploits reported.

Additional context

For example, these issues really should have been reported privately:

• When debug logging is enabled, api-key header is also printed #1082
• At debug log level API requests to OpenAI get logged with all headers, including an API key, in plaintext  #1196

[ericwb]

Maybe at least consider pointing to https://openai.com/policies/coordinated-vulnerability-disclosure-policy

[rattrayalex]

Hey thanks, this is a good call-out. We'll discuss internally. For now that link should work. For SDK-specific vulns, you can also email [email protected].

[rattrayalex]

What are some places you would expect to find this in a library like this? CONTRIBUTING.md?

[ericwb]

What are some places you would expect to find this in a library like this? CONTRIBUTING.md?

Typically there is a security.md policy file you define as part of the repo. GitHub has some instructions here on how to set that up: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.

Once setup, it'll show up here: https://github.com/openai/openai-python/security. But it would also be benefit to change the issues template to point folks to the security policy to report any vulnerabilities.

[rattrayalex]

Ah, terrific – we'll get that set up next week! Thank you so much @ericwb !

[RobertCraigie]

Sorry for the delay in closing this, the security.md file has been present for a while now!