We release patches for security vulnerabilities for the following versions:

We take security seriously. If you discover a security vulnerability, please follow these steps:

Please do not open a public GitHub issue for security vulnerabilities.

Send a detailed report to the repository maintainers via:

• GitHub Security Advisories (preferred)
• Direct message to repository owner

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)
• Your contact information

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 1-7 days
  • High: 7-30 days
  • Medium: 30-90 days
  • Low: Best effort

1. Keep Dependencies Updated

   pip install --upgrade -r requirements.txt

2. Use Virtual Environments

   python -m venv venv
   source venv/bin/activate

3. Protect API Keys

   • Never commit API keys to git
   • Use environment variables or secrets
   • Rotate keys regularly

4. Validate Input Data

   • Sanitize user inputs
   • Validate file uploads
   • Check dataset sources

5. Monitor Dependencies

   pip install safety
   safety check

1. Code Review

   • All PRs require review
   • Security-sensitive changes need extra scrutiny

2. Dependency Management

   • Pin dependency versions
   • Review dependency updates
   • Check for known vulnerabilities

3. Secrets Management

   • Use GitHub Secrets for CI/CD
   • Never hardcode credentials
   • Use .env files (gitignored)

4. Input Validation

   • Validate all external inputs
   • Sanitize file paths
   • Check data types and ranges

• Data Poisoning: Validate dataset sources
• Model Extraction: Limit API access if deploying
• Resource Exhaustion: Set timeouts and limits

• Wandb API Key: Store in GitHub Secrets
• Hugging Face Token: Optional, store securely if used

• Path Traversal: Validate file paths
• Arbitrary File Write: Restrict write locations
• Large Files: Implement size limits

We regularly update dependencies to patch security vulnerabilities. Check requirements.txt for current versions.

Security updates are released as:

1. Patch Versions (1.0.x) for minor fixes
2. GitHub Security Advisories for critical issues
3. Release Notes documenting security fixes

• We follow responsible disclosure
• Security fixes are released before public disclosure
• Credit given to reporters (if desired)

• Use HTTPS for all connections
• Implement rate limiting
• Set up monitoring and logging
• Use strong authentication
• Keep dependencies updated
• Regular security audits
• Backup critical data
• Implement access controls

We use:

• Dependabot: Automatic dependency updates
• GitHub Security Scanning: Code analysis
• Secret Scanning: Prevent credential leaks

For security concerns, contact:

• GitHub Security Advisories (preferred)
• Repository maintainers

We thank security researchers who responsibly disclose vulnerabilities.

Last Updated: December 2024