Please report security vulnerabilities privately — do not open a public issue, pull request, or discussion for a suspected vulnerability.
Use GitHub's private vulnerability reporting:
- Go to the repository's Security tab.
- Click Report a vulnerability.
- Describe the issue, the affected component/version, and a reproduction if possible.
This opens a private advisory visible only to the maintainers. We will acknowledge the report, investigate, and coordinate a fix and disclosure with you. Please give us reasonable time to address the issue before any public disclosure.
If you are unable to use private reporting, contact a maintainer listed in the repository metadata and request a private channel before sharing details.
SKaiNET is pre-1.0 and evolving quickly. Security fixes are applied to the
latest release and the develop branch. Older versions are not maintained;
please upgrade to the latest version before reporting.
In scope:
- The SKaiNET libraries published from this repository.
- Memory-safety, parsing, and deserialization issues in the model I/O readers (GGUF, SafeTensors, ONNX) when handling untrusted model files.
- Issues in generated export artifacts (e.g. Minerva/StableHLO) that could lead to unsafe code on a consumer's device.
Out of scope:
- Vulnerabilities in third-party dependencies — report those upstream (we will still bump the dependency once a fix is available).
- Denial of service from intentionally malformed inputs where the documented contract is "trusted input only."
Broader open-source security posture (REUSE/OpenSSF Best Practices, SBOM, dependency scanning) is tracked in the project's open-source best-practices work. See the Best Practices program for the criteria we are working toward.