We release patches for security vulnerabilities for the following versions:

Please do not open public GitHub issues for security vulnerabilities.

1. Go to Security Advisories
2. Click "Report a vulnerability"
3. Fill in the details (see below)

If GitHub Security Advisories are not available, contact maintainers through private channels.

Please provide:

• Description — Clear explanation of the vulnerability
• Affected versions — Which versions are impacted
• Reproduction steps — Minimal code or commands to reproduce
• Impact — What an attacker could achieve
• Suggested fix — If you have ideas for mitigation

We will keep you informed throughout the process.

When deploying YOLO-Toys:

• The API validates file types and sizes (MAX_UPLOAD_MB)
• Only image files are accepted for inference endpoints
• WebSocket frames are size-limited

• Run behind a reverse proxy (nginx, Caddy) in production
• Set appropriate ALLOW_ORIGINS for CORS
• Use HTTPS for all public deployments
• Consider rate limiting for public endpoints

• Docker image runs as non-root user
• Multi-stage build minimizes attack surface
• No sensitive data in image layers

• Keep dependencies updated
• Use pip-audit to check for known vulnerabilities:

pip install pip-audit
pip-audit

• YOLO weights are downloaded from Ultralytics on first use
• HuggingFace models are downloaded from HuggingFace Hub
• Ensure network access to trusted sources only

• Set MAX_CONCURRENCY to prevent resource exhaustion
• Monitor memory usage with large models
• Consider container resource limits in production

Security patches are released as patch versions. Subscribe to GitHub releases or watch the repository for updates.

Thank you for helping keep YOLO-Toys secure! 🔒