Skip to content

Security: fastlabel/open-lutra

Security

SECURITY.md

Security Policy

Supported Versions

OpenLUTRA is currently in the pre-1.0 (v0.x) stage. Only the latest main branch is eligible for security fixes.

Reporting a Vulnerability

If you discover a security issue, please do not open a public issue. Instead, contact us privately at the address below.

  • Email: openlutra-contact@fastlabel.ai

A GitHub Security Advisory or a dedicated form for vulnerability reports will be set up separately.

Information That Helps Us Triage

  • A summary of the vulnerability (scope of impact and assumed attack scenarios)
  • Steps to reproduce (a PoC if possible)
  • Known workarounds (if any)

Disclosure Policy

  • As a rule, reports are handled privately until a fix is released.
  • If the reporter wishes to be credited, we will acknowledge them in the release notes (and will not do so if they prefer otherwise).

Safe Harbor

  • We will not pursue civil or criminal action against, or request law-enforcement action regarding, security research conducted in good faith and in accordance with this policy. To remain within this safe harbor, please:

- Avoid accessing, modifying, or destroying data that does not belong to you any more than is strictly necessary to demonstrate the issue

- Refrain from denial-of-service, social engineering, phishing, or physical attacks

- Give us a reasonable opportunity to remediate before any public disclosure

Out of Scope

The following items are out of scope for this project.

  • Security of the user's own operations, network, or individual robot units
  • Vulnerabilities in third-party dependencies themselves (when the workaround lies in that library). However, this does not apply when there is a mitigation that OpenLUTRA itself should account for.

There aren't any published security advisories