Security

SECURITY.md

Security Policy

Supported Versions

Version	Supported
1.1.x	✅
1.0.x	✅
< 1.0	❌

Reporting a Vulnerability

If you discover a security vulnerability in Thulium, please report it responsibly.

How to Report

Do not open a public issue
Email security concerns to: security@thulium-dev.io
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

Response Timeline

Acknowledgment: Within 48 hours
Initial Assessment: Within 7 days
Resolution: Depends on severity
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: Next release

Disclosure Policy

We follow responsible disclosure practices
Reporters will be credited (unless anonymity requested)
CVE will be requested for confirmed vulnerabilities

Security Best Practices

When using Thulium:

Validate inputs — Don't process untrusted images without validation
Use latest version — Security fixes are only in supported versions
Verify model integrity — Check model hashes when downloading
Sandbox execution — Run untrusted workloads in containers

There aren't any published security advisories