We actively monitor:

• Code vulnerabilities (RCE, XSS, authentication bypass)
• Dependency risks (critical vulnerabilities in project dependencies, such as requirements.txt, pyproject.toml, or equivalent files)
• Configuration flaws (insecure defaults in deployment scripts)

1. Encrypted Email
   Contact: [email protected]
   Subject format: [SECURITY] ModuleName - Brief Description

2. GitHub Private Report
   Use GitHub's "Report a vulnerability" feature

3. Reporting Security Issues
   Please report security issues using Create new issue: https://github.com/Megvii-BaseDetection/YOLOX/issues/new

1. Acknowledgement
   • Initial response within 48 business hours
2. Assessment
   • Triage using CVSS v3.1 scoring
3. Remediation
   • Critical (CVSS ≥9.0): Patch within 7 days
   • High (CVSS 7-8.9): Patch within 30 days
4. Public Disclosure
   • Published via GitHub Advisories
   • CVE assignment coordinated with MITRE

• Always verify hashes when downloading dependencies:

  sha256sum -c <your-dependency-hash-file>