If you discover a security vulnerability in miniAI, please report it responsibly by:

1. GitHub Security Advisories: Report a vulnerability
2. Email: nelsonramos@ua.pt.

Please do NOT create a public issue for security vulnerabilities.

• Description of the vulnerability.
• Steps to reproduce.
• Affected versions.
• Potential impact.
• Suggested fix (if any).
• Your contact information (for follow-up) (if not by email).

These response timelines can be subject to change.

We only provide security updates for the latest release.
Please upgrade to the latest version.

When using miniAI:

• Use the latest release version.
• Keep dependencies updated (check Dependabot alerts).
• Run with least privilege (don't run as root).
• Validate input data before training.
• Don't expose trained model files publicly (may contain training data patterns).

• Follow secure coding practices.
• Never commit secrets or API keys.
• Test input validation thoroughly.
• Use tools like Valgrind to check for memory leaks.
• Review CodeQL security alerts.

• Use Docker containers for isolation.
• Limit network access if not needed.
• Monitor for unusual resource usage.
• Keep host system updated.

• miniAI uses custom arena allocators for performance.
• Bounded by ARENA_SIZE to prevent excessive memory allocation.
• All allocations are checked for NULL returns.

• PNG image processing uses stb_image (bounds-checked).
• Input validation on command-line arguments.
• Grid size limits prevent buffer overflows.

• Binary format with version checking.
• Dimension validation on load.
• No executable code in model files.

Memory safety:

• Arena allocator with bounds checking.
• No dynamic allocation after initialization (except on image processing pipeline).
• Valgrind should be clean (no leaks, no undefined behavior).

Input validation:

• Argument parsing with bounds checks.
• Grid size validation.
• File path sanitization.

Dependencies:

• Minimal external dependencies (only OpenMP).
• stb_image.h single-header library (widely audited).

Build security:

• Compilation with -Wall -Wextra.
• Optional AddressSanitizer builds.
• Valgrind memory checks in CI.

Once a vulnerability is fixed:

1. We'll publish a GitHub Security Advisory.
2. We'll release a patch version with the fix.
3. We'll credit the reporter (unless they prefer anonymity).
4. We'll update this SECURITY.md if practices change.

Security researchers who have responsibly disclosed vulnerabilities:

(None yet - be the first!)

For general security questions (not vulnerabilities), feel free to:

• Open a Discussion.
• Reach out via email.

Thank you for helping keep miniAI secure!