Skip to content
This repository was archived by the owner on Jul 16, 2026. It is now read-only.

Security: baremetal-int/nitf-tools

Security

SECURITY.md

Security policy

Reporting a vulnerability

Report privately through GitHub Security Advisories ("Report a vulnerability" on the affected repository's Security tab). Do not open a public issue for a vulnerability.

Please include: affected repository and version/commit, a minimal reproduction, and the impact you observed. A first response is aimed within 7 days.

Scope

These tools operate on geospatial and remote-sensing data. The most relevant classes of report are:

  • Input-handling flaws that could crash or misbehave on adversarial imagery, metadata, or annotation files.
  • Deserialization or checkpoint-loading paths that could execute untrusted code (see model-provenance).
  • Any code path that would exfiltrate, log, or transmit operator-supplied configuration, credentials, or areas of interest.

Out of scope

  • Third-party services and catalogs the tools query (report to the provider).
  • Results interpretation: these tools surface signals to cross-check, not conclusions. Acting on an unverified signal is an operator decision, not a software defect.

Supply chain

CI pins GitHub Actions by commit SHA and runs a secret scan on every push. Dependency versions are pinned for reproducibility. Report any unpinned or compromised dependency you find.

There aren't any published security advisories