We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 3.0.x | ✅ |
| 2.2.x | ✅ |
| < 2.2 | ❌ |
If you discover a security vulnerability in Auto3D, please report it responsibly.
- Do NOT open a public issue for security vulnerabilities
- Email the maintainers directly at: isayev@andrew.cmu.edu
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Resolution timeline: Depends on severity
| Level | Description | Response Time |
|---|---|---|
| Critical | Remote code execution, data loss | 24-48 hours |
| High | Privilege escalation, DoS | 1 week |
| Medium | Information disclosure | 2 weeks |
| Low | Minor issues | Next release |
When using Auto3D:
- Keep updated: Use the latest version
- Validate inputs: Sanitize SMILES strings from untrusted sources
- Secure custom models: Only load models from trusted sources
- Environment: Run in isolated environments for untrusted data
Loading custom PyTorch models via optimizing_engine="/path/to/model.pt" uses torch.load(), which can execute arbitrary code. Only load models from trusted sources.
Auto3D reads and writes files based on user-provided paths. Ensure proper access controls in multi-user environments.
We thank security researchers who responsibly disclose vulnerabilities.