We release patches for security vulnerabilities. The following versions are currently being supported with security updates:
| Version | Supported |
|---|---|
| 0.0.1 | ✅ |
- The installation script is downloaded via HTTPS to ensure integrity
- All package installations use official repositories and verified sources
- SHA256 checksums are verified for downloaded components where available
- All installations require explicit user confirmation via sudo
- The script modifies system configurations only when necessary
- All system modifications are logged and reversible
- User permissions are modified only for essential functionality (e.g., Docker group)
- Python packages are installed in an isolated virtual environment
- Dependencies are version-pinned to prevent supply chain attacks
- Third-party packages are installed only from PyPI using secure HTTPS
- NVIDIA drivers are installed only from official Ubuntu repositories
- CUDA installations are verified against NVIDIA's public keys
- Container runtime configurations follow NVIDIA's security guidelines
We take the security of our project seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to sec@mitkox.com.
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
Our project implements several security features to protect your system:
- HTTPS-Only Downloads: All package and script downloads use HTTPS
- GPG Key Verification: Package repositories are verified using GPG keys
- Secure File Handling: Temporary files are properly cleaned up
- Principle of Least Privilege: Operations requiring elevated privileges are minimized
- No Root Installation: The script prevents running as root for better security
- Clean Environment: Temporary files and caches are cleaned after installation
- Access Control: All installed components follow principle of least privilege
- Network Security: Downloads use HTTPS exclusively
- Data Protection: No sensitive data is collected
When using our project, follow these security best practices:
-
Always inspect scripts before running them
-
Keep your system updated
-
Use strong passwords for all services
-
Follow the principle of least privilege
-
Regularly monitor system logs
-
Keep backups of important data
-
Before Installation
- Verify the script's content before execution
- Check the installation URL matches the official repository
- Ensure you're on a supported Ubuntu version
-
During Installation
- Review sudo commands before entering password
- Monitor system modifications
- Ensure adequate disk space (20GB minimum)
-
Post Installation
- Keep the system updated
- Regularly update AI/ML libraries
- Monitor GPU resource usage
When we receive a security bug report, we will:
- Confirm the problem and determine the affected versions
- Audit code to find any potential similar problems
- Prepare fixes for all supported versions
- Release new versions as soon as possible
We regularly monitor and update dependencies for:
- Known vulnerabilities
- Supply chain risks
- Compatibility issues
All components are installed with respect to their licenses:
- Open source compliance is maintained
- License terms are preserved
- Attribution is provided where required
For security-related matters, contact:
- Security Email: sec@mitkox.com
- Radicle:
rad://z2ELVemM12PrcCMfi7dQCTHfsWPNh - GitHub: @mitkox