| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability in hfl, please report it responsibly:
- Do NOT open a public GitHub issue for security vulnerabilities
- Email the maintainer at: [security contact to be added]
- Include a detailed description of the vulnerability
- Include steps to reproduce the issue
- Allow reasonable time for a fix before public disclosure
hfl is designed to handle HuggingFace tokens securely:
- Tokens are read only from environment variables (
HF_TOKEN) or secure prompts - Tokens are never persisted to disk, configuration files, or logs
- Tokens are held in memory only for the duration of the process
- All HuggingFace Hub connections use HTTPS
- The API server binds to
127.0.0.1by default (localhost only) - Exposing the server to
0.0.0.0requires explicit confirmation
hfl includes license verification to protect users from inadvertent license violations:
- Model licenses are checked and displayed before download
- License restrictions are stored with model metadata
- Users must explicitly accept non-permissive licenses
All AI-generated content includes disclaimers to inform users that:
- The content is AI-generated
- The content may be inaccurate or inappropriate
- Users are responsible for evaluating and using outputs
- Keep hfl updated to receive security fixes
- Use environment variables for tokens, not command-line arguments
- Do not expose the API server to untrusted networks
- Review model licenses before commercial use
- Validate AI outputs before critical use