Please do NOT open a public GitHub issue for security vulnerabilities.

To report a vulnerability, use one of the following channels:

• Preferred: GitHub Security Advisories — report privately via GitHub's built-in mechanism
• Alternative: Email the maintainers at the address listed in pyproject.toml

• A clear description of the vulnerability
• Steps to reproduce (proof-of-concept if possible)
• Potential impact assessment
• Suggested fix (optional but appreciated)

• Acknowledgement: within 48 hours
• Initial assessment: within 5 business days
• Fix / disclosure timeline: coordinated with the reporter

We follow coordinated disclosure. We ask that you give us reasonable time to address the issue before any public disclosure.

The following are in scope for security reports:

• MATA framework source code (src/mata/)
• CI/CD workflows (.github/workflows/)
• Package configuration (pyproject.toml)

The following are out of scope:

• Third-party model weights or datasets used with MATA
• Vulnerabilities in upstream dependencies (report those to the respective projects)
• Issues that require physical access to the machine running MATA
• Social engineering attacks

• Always install MATA from the official repository (datamata-io/mata) or PyPI
• Pin dependency versions in production environments
• Do not load untrusted model weights (.pt, .onnx, .pth) — deserialization of arbitrary files can execute code
• Review any custom adapter code before running it in sensitive environments