| Version | Supported |
|---|---|
| 1.0.x | Yes |
| < 1.0 | No |
If you discover a security vulnerability in Endgame, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, please use one of the following methods:
- GitHub Security Advisories (preferred): Go to the Security tab and click "Report a vulnerability"
- Email: Send details to the maintainers via the email listed in the GitHub organization profile
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours
- Status update within 7 days
- We aim to release a fix within 30 days for confirmed vulnerabilities
Security issues in the following areas are in scope:
- Code execution vulnerabilities in model loading/deserialization (
endgame.persistence) - ONNX export producing models with unintended behavior
- Dependency vulnerabilities in core dependencies
- Path traversal or injection in file-handling utilities
- Adversarial ML attacks on trained models (this is a research area, not a software vulnerability)
- Denial of service through large inputs (expected behavior for ML workloads)
- Issues in optional dependencies not maintained by this project