Add SECURITY.md

[psmoros]

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@nhienit2010) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

[grasskin]

Hi @psmoros, Keras is used as a high level API for Tensorflow. Please report any potential security vulnerabilities by following the instructions here. We updated CONTRIBUTING.md noting this after being reached out to from someone else in your community. Thank you! In the future when Keras supports multiple backends we might have to rethink our security procedure.

[grasskin]

Cc'ing @fcoUnda and @learning-to-play who were looking into security. We most likely need a procedure in the future that deals with how users report security issues to keras since these could include Tensorflow, Jax, Pytorch, and even Numpy vulnerabilities. Would you mind taking a look? Thank you!

[sachinprasadhs]

Right now, we have a section to report security vulnerabilities in Keras, which ultimately route to TensorFlow Security.md
https://github.com/keras-team/keras/blob/master/CONTRIBUTING.md#security-vulnerability-reports

[learning-to-play]

@qlzh727 @fchollet FYI

[learning-to-play]

@grasskin Please look here: https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md#reporting-vulnerabilities
You can similarly update Keras SECURITY.md and direct Keras users to use Google Bug Hunters reporting form to report security related issues.

[mihaimaruseac]

Since there is no C++ here, the only security issues are of limited impact. CI / supply chain will need to be handled, of course, but anything else likely would come from the downstream dependencies (which TF, PT, JAX, etc. are part of)