We release patches for security vulnerabilities for the following versions:

We take the security of SAHI seriously. If you believe you have found a security vulnerability in SAHI, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. GitHub Security Advisories (Preferred)

   • Go to the Security Advisories page
   • Click "Report a vulnerability"
   • Fill in the details of the vulnerability

2. Email

   • Send an email to the maintainers through GitHub
   • Include "SECURITY" in the subject line
   • Provide detailed information about the vulnerability

Please include the following information in your report:

• Type of vulnerability (e.g., remote code execution, information disclosure, etc.)
• Full paths of source file(s) related to the vulnerability
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• We will acknowledge your report within 3 business days
• We will provide a detailed response within 7 business days indicating the next steps
• We will keep you informed about the progress towards a fix and full announcement
• We may ask for additional information or guidance

• Security issues will be addressed with high priority
• Once a fix is available, we will:
  1. Release a patch version
  2. Publish a security advisory on GitHub
  3. Credit you (unless you prefer to remain anonymous)
  4. Update the CHANGELOG with security fix information

When using SAHI, we recommend:

1. Keep SAHI updated to the latest version
2. Review dependencies regularly for known vulnerabilities
3. Validate inputs when processing untrusted images or models
4. Use virtual environments to isolate SAHI and its dependencies
5. Follow least privilege principle when running SAHI in production
6. Be cautious with model weights from untrusted sources

• Model Loading: Be cautious when loading model weights from untrusted sources
• Image Processing: Validate and sanitize image inputs, especially from untrusted sources
• File Operations: SAHI performs file I/O operations; ensure proper permissions and path validation
• Dependencies: Some optional dependencies (PyTorch, TensorFlow, etc.) may have their own security considerations

Security updates will be announced through:

• GitHub Security Advisories
• GitHub Releases
• CHANGELOG.md

• GitHub Security Best Practices
• OWASP Top Ten
• Python Security Best Practices

Currently, we do not have a bug bounty program. However, we greatly appreciate security researchers who responsibly disclose vulnerabilities to us.

For any security-related questions or concerns, please contact the maintainers through GitHub.

Thank you for helping keep SAHI and its users safe!