We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. DO NOT create a public GitHub issue for security vulnerabilities
2. Email the maintainers directly or use GitHub's private vulnerability reporting feature
3. Include as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: We will acknowledge receipt within 48 hours
• Assessment: We will assess the vulnerability within 7 days
• Resolution: We aim to release a fix within 30 days for confirmed vulnerabilities
• Credit: We will credit reporters in the release notes (unless you prefer anonymity)

This security policy covers:

• The motcpp library code
• Build system vulnerabilities
• Dependencies with known CVEs

• Vulnerabilities in upstream dependencies (report to respective projects)
• Issues requiring physical access to the machine
• Social engineering attacks

When using motcpp:

1. Keep Updated: Always use the latest version
2. Validate Input: Sanitize detection inputs before passing to trackers
3. Model Security: Only load ONNX models from trusted sources
4. Build Security: Use release builds with appropriate compiler flags

motcpp includes:

• No network access (air-gapped operation possible)
• No dynamic code execution
• Bounded memory allocation
• Input validation for detection matrices

For security concerns, contact the maintainers through GitHub.