Add notes about permissions when using the HF Secrets feature

README.md

@@ -252,7 +252,7 @@ If you can't build a Docker image yourself, or if the steps above seem too confu
 
 These are the steps to prepare a HF Space for making submissions to the challenge:
 
-1. Create a new HuggingFace [**Organization**](https://huggingface.co/organizations/new) (**not a user account**) for your challenge team. **The length of your combined Organization name + Space name must be less than 47 characters** due to a limitation of the HuggingFace API.
+1. Create a new HuggingFace [**Organization**](https://huggingface.co/organizations/new) (**not a user account**) for your challenge team. **The length of your combined Organization name + Space name must be less than 47 characters** due to a limitation of the HuggingFace API. **We strongly recommend creating a brand-new Organization solely for the purpose of submitting to the SAFE Challenge.**
 2. Create a new `Space` within your `Organization`. The Space must use the [Docker SDK](https://huggingface.co/new-space?sdk=docker). **Private Spaces are OK and they will work with the submission process.** **The length of your combined Organization name + Space name must be less than 47 characters** due to a limitation of the HuggingFace API.
 3. Create a file called `DYFF_TEAM` in the root directory of your HF Space. The contents of the file should be your Team ID (not your Account ID). This file allows our infrastructure to verify that your Team controls this HF Space.
 4. Create a `Dockerfile` in your Space that builds your challenge submission image.
@@ -260,7 +260,7 @@ These are the steps to prepare a HF Space for making submissions to the challeng
 
 To make a challenge submission from your Space:
 
-1. Add the [official SAFE Challenge user account](https://huggingface.co/safe-challenge-2025-submissions) as a Member of your organization with `read` permissions. **Make sure you are adding the correct user account;** the account name is `safe-challenge-2025-submissions`. This grants permission to our infrastructure to pull the Docker image built by your Space.
+1. Add the [official SAFE Challenge user account](https://huggingface.co/safe-challenge-2025-submissions) as a Member of your Organization with `read` permissions. **Make sure you are adding the correct user account;** the account name is `safe-challenge-2025-submissions`. This grants permission to our infrastructure to pull the Docker image built by your Space.
 2. When you're ready to submit, use the [submission web form](https://challenge.dyff.io/submit) and enter the URL of your Space and the branch that you want to submit.
 
 ## Handling large models
@@ -282,7 +282,9 @@ If access credentials are required to download your model files, you should prov
 
 Access credentials are necessary if you want to clone a private HuggingFace Model repository during your Docker build process.
 
-Access the secrets as described in the [Secrets > Buildtime section](https://huggingface.co/docs/hub/spaces-sdks-docker#secrets). Remember that you can't download files at run-time because your system will not have access to the Internet.
+Access the secrets as described in the [Secrets > Buildtime section](https://huggingface.co/docs/hub/spaces-sdks-docker#secrets). Remember that you can't download files at run-time because your system [will not have access to the Internet](#test-that-your-container-works-without-internet-access).
+
+⚠️ If your Space uses the Secrets feature, accessing the Docker images built from your Space requires `admin` permissions. You must add the [official SAFE Challenge user account](https://huggingface.co/safe-challenge-2025-submissions) as a Member of your Organization with `admin` permissions. **We strongly recommend creating a brand-new Organization solely for the purpose of submitting to the SAFE Challenge.** This way, you will not be granting our system `admin` permissions on any other unrelated HuggingFace repositories you might have.
 
 
 # How to implement a detector