As part of our commitment to the security and integrity of the HDF5 ecosystem under the SHINES (Safe-OSE) project, we have launched a dedicated site for security researchers and community members to report vulnerabilities: https://ssp.hdfgroup.org.
The goal of this site is to make it safe and easy to report security issues, providing transparency on how and when they will be addressed.
Key details of the new policy:
- Reporting Channels: Vulnerabilities in the HDF5 Library can be submitted via GitHub Security Advisories, while other HDF projects can be reported via a dedicated security email.
- Defined Timelines: The policy outlines clear response windows, including a 90-day fix release for standard issues and an accelerated 7-day track for vulnerabilities being exploited in the wild.
- Scope: The policy covers the HDF5 library, file format specs, official plugins/connectors (VOL/VFD), HSDS, HDFView, and official tools like
h5dump.
We encourage anyone who discovers a potential security weakness to review the full policy and use these new channels to help us maintain a secure environment for all HDF5 users.
This material is based upon work supported by the U.S. National Science Foundation under Federal Award No. 2534078. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.