OpenLUTRA is currently in the pre-1.0 (v0.x) stage. Only the latest main branch is eligible for security fixes.
If you discover a security issue, please do not open a public issue. Instead, contact us privately at the address below.
- Email:
openlutra-contact@fastlabel.ai
A GitHub Security Advisory or a dedicated form for vulnerability reports will be set up separately.
- A summary of the vulnerability (scope of impact and assumed attack scenarios)
- Steps to reproduce (a PoC if possible)
- Known workarounds (if any)
- As a rule, reports are handled privately until a fix is released.
- If the reporter wishes to be credited, we will acknowledge them in the release notes (and will not do so if they prefer otherwise).
- We will not pursue civil or criminal action against, or request law-enforcement action regarding, security research conducted in good faith and in accordance with this policy. To remain within this safe harbor, please:
- Avoid accessing, modifying, or destroying data that does not belong to you any more than is strictly necessary to demonstrate the issue
- Refrain from denial-of-service, social engineering, phishing, or physical attacks
- Give us a reasonable opportunity to remediate before any public disclosure
The following items are out of scope for this project.
- Security of the user's own operations, network, or individual robot units
- Vulnerabilities in third-party dependencies themselves (when the workaround lies in that library). However, this does not apply when there is a mitigation that OpenLUTRA itself should account for.