| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security seriously. If you discover a security vulnerability in InferCost, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Email security concerns to: contact@defilan.com
- Use GitHub's private vulnerability reporting
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Target: Within 30 days for critical issues
This security policy applies to:
- InferCost controller
- CLI (
infercost) - REST API
- Container images published to GHCR
- Third-party dependencies (report to upstream)
- DCGM Exporter vulnerabilities (report to NVIDIA)
- llama.cpp / vLLM vulnerabilities (report to upstream)
- LLMKube vulnerabilities (report to LLMKube)
When deploying InferCost:
- ClusterIP only: The API server binds to ClusterIP by default — do not expose externally without authentication
- Read-only API: The REST API is read-only by design — no mutation endpoints exist
- RBAC: Restrict who can create/modify CostProfile CRDs
- Network Policies: Isolate the InferCost controller pod
- TLS: Enable TLS for the metrics and API endpoints in production
- CostProfile data: CostProfiles contain financial data (hardware prices, electricity rates) — treat as business-sensitive