Skip to content

Security: getml/mlflow

Security

SECURITY.md

Security Policy

MLflow and its community take security bugs seriously. We appreciate efforts to improve the security of MLflow and follow the GitHub coordinated disclosure of security vulnerabilities for responsible disclosure and prompt mitigation. We are committed to working with security researchers to resolve the vulnerabilities they discover.

Supported Versions

The latest version of MLflow has continued support. If a critical vulnerability is found in the current version of MLflow, we may opt to backport patches to previous versions.

Reporting a Vulnerability

When finding a security vulnerability in MLflow, please perform the following actions:

  • Open an issue on the MLflow repository. Ensure that you use [BUG] Security Vulnerability as the title and do not mention any vulnerability details in the issue post.
  • Send a notification email to mlflow-oss-maintainers@googlegroups.com that contains, at a minimum:
    • The link to the filed issue stub.
    • Your GitHub handle.
    • Detailed information about the security vulnerability, evidence that supports the relevance of the finding and any reproducibility instructions for independent confirmation.

This first stage of reporting is to ensure that a rapid validation can occur without wasting the time and effort of a reporter. Future communication and vulnerability resolution will be conducted after validating the veracity of the reported issue.

An MLflow maintainer will, after validating the report:

  • Acknowledge the bug during triage
  • Mark the issue as priority/critical-urgent
  • Open a draft GitHub Security Advisory to discuss the vulnerability details in private.

The private Security Advisory will be used to confirm the issue, prepare a fix, and publicly disclose it after the fix has been released.

There aren’t any published security advisories