This document explains how to report software security issues, safety-sensitive content, credential exposure, private data exposure, and release-risk concerns.
OpenAMP Foundry is both a software project and a safety-constrained scientific infrastructure project. Some issues should not be opened publicly.
Report privately to maintainers when an issue involves:
- private credentials or tokens;
- private dataset access;
- partner or reviewer private information;
- sensitive candidate or model artifacts;
- unsafe release pathways;
- bypass of safety or release checks;
- content that could materially increase misuse risk;
- vulnerabilities in CI, packaging, or artifact publication.
Do not include sensitive details in a public issue.
Use normal GitHub issues for:
- installation bugs;
- failing tests;
- documentation errors;
- schema validation bugs;
- unclear CLI behavior;
- benchmark reproducibility problems that do not expose sensitive artifacts;
- safe feature requests.
Use the issue templates when possible.
Do not open public issues containing:
- private keys, credentials, tokens, or URLs with secrets;
- restricted data;
- sensitive candidate lists;
- unreleased model artifacts;
- operational biological instructions;
- instructions for bypassing safety review;
- partner-private result details;
- exploit instructions beyond what maintainers need to understand impact.
For safety-sensitive reports, maintainers should:
- Acknowledge receipt.
- Restrict discussion to appropriate reviewers.
- Assess whether immediate removal or restriction is needed.
- Record a decision when safe to do so.
- Add tests, gates, docs, or review requirements to prevent recurrence.
- Publish a safe summary if public awareness is useful and safe.
If an issue affects users, artifacts, or downstream consumers, maintainers should coordinate a fix and communicate clearly without exposing sensitive details.
SAFETY.mdRESPONSIBLE_USE.mdMODEL_RELEASE_POLICY.mddocs/RELEASE_CHECKLIST.mddocs/SAFETY_DOC_AUDIT.md
When unsure whether an issue is safe to disclose publicly, report privately first.