If you discover a security vulnerability in EZ-CorridorKey, please report it responsibly through one of these channels:
- GitHub Private Security Advisory (preferred): Go to the Security tab and create a private advisory.
- Email: Send details to EZ-CorridorKey@proton.me
Please do not open public GitHub issues for security vulnerabilities.
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Acknowledgment: Within 72 hours
- Initial assessment: Within 1 week
- Fix or mitigation: Depends on severity, but we aim for 30 days for critical issues
The following are in scope:
- The EZ-CorridorKey Python application and GUI
- Model loading and inference pipeline
- Docker container configuration
- Build and packaging scripts (PyInstaller, NSIS)
- File I/O and subprocess handling
The following are out of scope:
- Third-party model weights hosted externally
- Upstream dependencies (report those to their maintainers)
- Issues requiring physical access to the machine
- Social engineering
- All
torch.load()calls useweights_only=Trueto prevent pickle deserialization attacks - Subprocess calls use list-based arguments (no
shell=True) - No network-facing services in the desktop application
- Docker ports are bound to localhost only