During the alpha (0.x) series, only the latest tagged release on master receives security fixes. This is a best-effort, single-maintainer project — there are no SLAs.

Please report security issues privately rather than opening a public issue.

Preferred: open a GitHub Security Advisory on this repo (private vulnerability reporting).

Fallback: email security@logosflux.io.

Please include a clear description, steps to reproduce, the affected component (sam3d-body, sam3d-objects, the ComfyUI custom nodes, or scripts/), and the commit SHA or release tag you tested against. A working proof of concept is appreciated but not required.

You can expect a best-effort acknowledgement within ~14 days and coordinated disclosure once a fix is available.

In scope:

• Bugs that allow unauthenticated access to a service binding only on the docker-internal network being trivially exposable on a public interface as documented.
• Path traversal in the FastAPI services (e.g. /mesh/<job_id>, /splat/<job_id>, mask download paths) escaping the per-service output root.
• Code execution via crafted inputs to /infer* or /mask/* beyond what model inference itself does.
• Secret leakage in logs, error messages, response bodies, or Docker image layers built from this repo.
• Bypass of scripts/check-for-leaks.sh patterns that lets a tracked file ship a personal hostname, email, token, or hardcoded /home/<user>/ path.

Out of scope:

• Model weights. This repo redistributes no weights. SAM 3D Body, SAM 3D Objects, SAM 2, and SAM 3 are fetched at runtime from HuggingFace under the user's own approved access. Issues with the weights themselves (licensing, content, watermarking, model behaviour) belong upstream with Meta — see ATTRIBUTION.md.
• Issues that require root on the host, physical access, or a malicious image already loaded into the local Docker daemon.
• Misconfiguration of operator-deployed reverse proxies, Cloudflare Tunnel, Tailscale serve, etc. The services are designed to bind on the loopback / docker-bridge by default; exposing them publicly is the operator's responsibility.
• Vulnerabilities in upstream Python dependencies that don't affect the shipped configuration; please report those upstream.
• Theoretical issues without a proof of concept against a recent build.

If you're not sure whether something is in scope, send the report anyway — we'd rather triage and explain than miss a real issue.