This project is currently pre-1.0. The latest commit on main is the only
supported version; security fixes will not be back-ported.
Do not open a public GitHub issue for a security vulnerability.
Email the maintainer privately:
harshpandhe.contact@gmail.com Subject:
SECURITY: <one-line summary>
Include:
- The component (e.g.
server/auth.py,cli.py,physics.py, …) - The version / commit SHA
- A reproduction (minimal command sequence or test case)
- Your assessment of impact and severity
- Whether you'd like to be credited in the eventual advisory
You should expect:
| Within | What |
|---|---|
| 48 h | Acknowledgement of receipt |
| 7 d | Triage outcome (accepted / declined / need-more-info) |
| 30 d | Fix landed on main and a CVE request filed if applicable |
If the vulnerability is in a third-party dependency, please also report it upstream after disclosing here.
In scope:
- Authentication / authorization flaws in
server/auth.py(token forgery, privilege escalation, replay) - SQL injection or ORM misuse in
server/db.py/server/models.py - Path traversal in export endpoints (
/projects/{id}/export/{fmt}, DEM upload handling) - Insecure file handling in DEM ingestion (
dem.py,routes.py) - Cryptographic misuse (JWT, password hashing)
- Container build issues (
Dockerfile,docker-compose.yml) producing exploitable images - CI workflow injection (
.github/workflows/ci.yml) - Deserialisation of untrusted input (project save/load, RL policy load, PyVista scene serialisation)
Out of scope:
- Engineering-result correctness (those are bugs, not security issues — use the bug template)
- DoS via expensive optimizer runs (mitigated by caller's deployment)
- Issues that require local filesystem access already granted to the attacker
If you can supply a pytest snippet that demonstrates the vulnerability,
include it. We will not ship a fix without a regression test.
Researchers who responsibly disclose will be credited in CHANGELOG.md
under the version that ships the fix, unless they request otherwise.