Do not create a public GitHub issue for security vulnerabilities.
Email security@withoutbg.com with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fix (optional)
You will receive an acknowledgement within 48 hours and a status update within 7 days.
This policy covers the withoutbg Python package (this repository).
For vulnerabilities in the Docker / self-hosted inference service, report via withoutbg/withoutbg-inference or the same email address.
Security fixes are applied to the latest release only. We do not backport to older minor versions.
We follow a 90-day coordinated disclosure timeline. After a fix is released, we will publish a security advisory on GitHub.