Security fixes target the latest main branch unless a release branch is explicitly announced.

Please report security issues through GitHub private vulnerability reporting if it is enabled for this repository. If that is unavailable, open a minimal public issue that requests a private coordination channel and does not include exploit details, secrets, or private infrastructure information.

• Secret exposure, credential leakage, or unsafe logging.
• Path traversal or unsafe archive extraction behavior.
• Untrusted command execution through model/provider hooks.
• Validation logic that can falsely report external Vitis acceptance.
• Documentation that encourages unsafe token, SSH, or remote-server handling.

We will acknowledge valid reports, reproduce them in a minimal environment, and publish fixes with clear notes. Do not include real tokens, private keys, proprietary hardware designs, private server names, or private network details in a report.