Thank you for helping keep OpenIdeas and its community safe.
We take security vulnerabilities seriously and appreciate responsible disclosure.
OpenIdeas is under active development. Security fixes are applied to the latest commit on the default branch.
| Version / Branch | Supported | Notes |
|---|---|---|
main (latest) |
✅ Yes | All security fixes are applied here first |
| Release tags (if any) | Backports may be provided depending on severity | |
| Old commits / forks | ❌ No | Please upgrade to the latest main |
If you are using OpenIdeas as a dependency, we strongly recommend pinning a commit/tag and updating regularly.
If you believe you have found a security vulnerability in OpenIdeas, please report it privately.
If the repository is hosted on GitHub and Security Advisories are enabled:
- Go to Security → Advisories
- Click Report a vulnerability
- Provide the details described in the "What to Include" section below
This is the fastest and most secure way to report issues.
If GitHub Security Advisories are not available, please email the maintainer:
- Security contact:
yaoyuzhuo6@gmail.com - Subject format:
[SECURITY] <short summary>
⚠️ Please do not open a public GitHub issue for security reports.
To help us reproduce and fix the issue quickly, please include:
- A clear description of the vulnerability and potential impact
- Affected file(s) / module(s) / function(s)
- Steps to reproduce (PoC or minimal code snippet if possible)
- Expected behavior vs actual behavior
- Environment information:
- OS and version
- Python version
- PyTorch version
- CUDA version (if relevant)
- Any suggested mitigation or patch (optional)
If you have a working proof-of-concept, please keep it minimal and safe.
We aim to respond according to the following timeline:
- Acknowledgement: within 72 hours
- Initial assessment: within 7 days
- Fix / mitigation plan: as soon as reasonably possible depending on severity
Complex issues may take longer, especially if they require design changes or coordinated disclosure.
We follow a responsible disclosure process:
- We confirm the issue and assess severity
- We develop a fix and validate it
- We prepare a security advisory (if applicable)
- We publish the fix and disclose details responsibly
Please allow us reasonable time to investigate and resolve the issue before public disclosure.
This security policy applies to vulnerabilities in:
- Code under
src/ - Scripts under
test/and repository utilities - Documentation tooling that executes code (if any)
The following are generally out of scope:
- Vulnerabilities in third-party dependencies (please report upstream)
- Social engineering attacks
- Physical attacks
- Issues requiring unrealistic assumptions
- Non-security bugs (please use GitHub Issues)
OpenIdeas is a research-oriented repository. Some modules may execute user-provided tensors or configurations. Please treat all external model weights, checkpoints, and configs as untrusted.
We recommend the following practices when using OpenIdeas:
- Use trusted sources for pretrained weights and checkpoints
- Avoid running untrusted code or configs in production environments
- Run experiments in isolated environments (virtualenv/conda/docker)
- Keep Python/PyTorch and dependencies up to date
While we do not list every potential issue, common risk areas include:
- Unsafe deserialization of checkpoints or configs
- File path handling and unsafe file operations
- Arbitrary code execution through dynamic imports
- Unbounded resource usage (OOM / DoS via huge tensors)
If you discover issues related to these areas, please report them.
We appreciate security researchers and community members who report vulnerabilities responsibly. With your permission, we will acknowledge you in the security advisory or release notes.
- Security contact:
yaoyuzhuo6@gmail.com
You may also open a private advisory report once GitHub Security Advisories are enabled.