If you discover a security vulnerability in ModelAudit, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

• Email: security@promptfoo.dev
• Subject line: [ModelAudit Security] <brief description>

• Description of the vulnerability
• Steps to reproduce
• Affected version(s)
• Impact assessment (if known)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 5 business days
• Fix or mitigation: Depends on severity, typically within 30 days for critical issues

This policy covers:

• The modelaudit Python package (published on PyPI)
• The official Docker images
• The GitHub Actions CI/CD workflows in this repository

This policy does not cover:

• Third-party dependencies (report those to the respective maintainers)
• The promptfoo.dev documentation website
• Models scanned by ModelAudit (report those to the model publisher)

If you discover a malicious or vulnerable third-party model artifact, please report it to the model publisher. Only report privately to us when the issue is in ModelAudit itself (for example, a detection bypass or scanner vulnerability).

We recommend always using the latest version of ModelAudit.

We follow coordinated disclosure. After a fix is released, we will:

1. Publish a security advisory on GitHub
2. Credit the reporter (unless they prefer anonymity)
3. Include details in the CHANGELOG