# Security

We take security considerations seriously and appreciate responsible disclosure from the community. If you believe you have identified a security vulnerability in this project, please report it following the process outlined below.

## Reporting Security Issues

If you discover a potential security vulnerability, **please do not open a public GitHub issue**. 

Instead, please report it responsibly by contacting the project maintainers at opensource@zhejianglab.org. You can expect a response within 24 hours.

When reporting a security issue, please provide as much of the following information as possible to help us assess and address the issue efficiently:

- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source files related to the issue
- Location of the affected code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if available)
- Potential impact of the issue, including potential exploitation by an attacker

## Scope

Security issues include, but are not limited to:

- Vulnerabilities in training, evaluation, or inference scripts
- Unsafe default configurations or deployment settings
- Dependency-related security risks
- Issues that may lead to data leakage or unauthorized access

## Response Process

After receiving a security report, the project maintainers will:

- Acknowledge receipt of the report
- Assess the impact and severity of the issue
- Work on mitigation or fixes
- Coordinate a responsible disclosure if needed

We aim to respond to initial reports in a timely manner and will keep reporters informed of progress when feasible.

## Policy

We adhere to the principle of responsible disclosure and works to resolve security issues as promptly as possible. Our goal is to resolve security issues promptly while protecting users, contributors, and downstream projects.