From 50522157dc956da980198eec8d3da72d437b1cac Mon Sep 17 00:00:00 2001 From: yuneng-jiang Date: Tue, 9 Jun 2026 14:59:50 -0700 Subject: [PATCH] docs(security): require a reproduction video for vulnerability reports (#30048) (#30063) With AI models capable of automated vulnerability discovery now publicly available, we expect a large increase in report volume, much of it unverified. Requiring a video of the exploit running against a live instance raises the bar for submissions and keeps triage focused on reproducible issues. Reports without a video will be closed and reopened if one is added later. Co-authored-by: stuxf <70670632+stuxf@users.noreply.github.com> --- security.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/security.md b/security.md index c6cd64ddaa..cb5eda7ee2 100644 --- a/security.md +++ b/security.md @@ -3,12 +3,20 @@ ## Security Vulnerability Reporting Guidelines +> [!WARNING] +> Reports that do not include a video demonstrating the exploit will be closed without review. See [Reproduction Video Requirement](#reproduction-video-requirement) below. + We value the security community's role in protecting our systems and users. To report a security vulnerability: - File a private vulnerability report on GitHub: [Report a vulnerability](https://github.com/BerriAI/litellm/security/advisories/new) - Include steps to reproduce the issue +- Include a video or screen recording demonstrating the full exploit against a live LiteLLM instance, from initial access through to impact. A terminal recording (for example asciinema) is fine for CLI-only exploits. - Provide any relevant additional information +### Reproduction Video Requirement + +A video demonstrating the exploit is required for every report. AI tools have made it easy to produce plausible-sounding vulnerability reports that do not reproduce in practice, and triaging them takes time away from real issues. Reports submitted without a working reproduction video will be closed without review. If you add a video to a closed report, we will reopen and triage it. + ### Vulnerability Categories We classify vulnerabilities into the following categories: @@ -38,7 +46,7 @@ We offer bounties for responsibly disclosed vulnerabilities based on severity: | **Medium** | N/A | P2 authenticated privilege escalation | | **Low** | N/A | Minor information disclosure, low-impact misconfigurations | -To qualify for a bounty, reports must include clear reproduction steps and must not involve systems or accounts you do not own. We review all submissions promptly and will follow up within 5 business days. +To qualify for a bounty, reports must include clear reproduction steps, a reproduction video as described above, and must not involve systems or accounts you do not own. We review all submissions promptly and will follow up within 5 business days. ### Known Non-Issues