Security fixes are handled on the default branch until the project publishes versioned releases.

Please do not open a public issue with exploit details.

Use GitHub private vulnerability reporting for the mlxtra/mlxtra repository when available. If private reporting is not enabled yet, open a minimal public issue asking for a private reporting channel and omit technical details until a private contact path is available.

Useful reports include:

• affected version or commit
• macOS version and hardware
• steps to reproduce
• impact and whether local files, model downloads, subprocess execution, or generated media are involved
• any suggested fix or mitigation

We will acknowledge valid reports when possible and coordinate fixes before publishing detailed disclosure.