Report privately through GitHub Security Advisories ("Report a vulnerability" on the affected repository's Security tab). Do not open a public issue for a vulnerability.
Please include: affected repository and version/commit, a minimal reproduction, and the impact you observed. A first response is aimed within 7 days.
These tools operate on geospatial and remote-sensing data. The most relevant classes of report are:
- Input-handling flaws that could crash or misbehave on adversarial imagery, metadata, or annotation files.
- Deserialization or checkpoint-loading paths that could execute untrusted code
(see
model-provenance). - Any code path that would exfiltrate, log, or transmit operator-supplied configuration, credentials, or areas of interest.
- Third-party services and catalogs the tools query (report to the provider).
- Results interpretation: these tools surface signals to cross-check, not conclusions. Acting on an unverified signal is an operator decision, not a software defect.
CI pins GitHub Actions by commit SHA and runs a secret scan on every push. Dependency versions are pinned for reproducibility. Report any unpinned or compromised dependency you find.