TuneForge is local-first software, so security reports often involve private datasets, prompts, model outputs, API keys, or machine details. Do not post those details in a public issue.
Use GitHub private vulnerability reporting when it is enabled for the public repository. If it is not available yet, open a minimal public issue that says a security report is needed, but do not include secrets, private data, exploit steps, or sensitive logs.
Maintainers should acknowledge reports as soon as practical, reproduce privately, and publish fixes or advisories without exposing user data.
Security-sensitive areas include:
local-onlynetwork isolation- API teacher preview and explicit confirmation gates
- API key and PII redaction
- dataset import and validation
- backend subprocess execution and log handling
- model, adapter, dataset, and model-card publishing safeguards
TuneForge は local-first のソフトウェアです。脆弱性報告には private dataset、prompt、model output、API key、環境情報が含まれる可能性があります。 これらを public issue に書かないでください。
GitHub の private vulnerability reporting が使える場合はそれを利用してください。 使えない場合は、詳細を書かずに security report が必要であることだけを public issue で知らせてください。