eFab ships no product code of its own. It is a manifest repo that
declares which versions of the canonical EmbeddedOS product repositories
to fetch. Vulnerabilities in the fetched repos belong to those repos.
| Concern | File here? | Where to report |
|---|---|---|
Bug in eAI inference, agent loop, model loader |
No | https://github.com/embeddedos-org/eAI/security |
Bug in eIPC transport, HMAC, replay protection |
No | https://github.com/embeddedos-org/eIPC/security |
Bug in eNI provider, signal processing, decoder |
No | https://github.com/embeddedos-org/eNI/security |
| Wrong / weak version pin in a manifest | Yes | open a private security advisory on this repo |
| Smoke test that masks a real product CVE | Yes | open a private security advisory on this repo |
| CI workflow that leaks tokens or fetches over plain HTTP | Yes | open a private security advisory on this repo |
Please open a private security advisory on this repo. Do not file a public issue for an in-scope vulnerability.
We aim to acknowledge within 5 working days. Coordinated disclosure follows
the policy in this repo's SECURITY.md (this file) plus the
upstream product's own SECURITY.md for any vulnerability that originates
in eAI / eIPC / eNI source.
- Manifests pin immutable tags, not branches. A
rev: masteris a bug; please report it. - The CMake superproject uses
GIT_SHALLOW TRUEand never disables TLS verification. - CI never runs against PR-author-controlled forks with secrets exposed.