MLflow and its community take security bugs seriously. We appreciate efforts to improve the security of MLflow and follow the GitHub coordinated disclosure of security vulnerabilities for responsible disclosure and prompt mitigation. We are committed to working with security researchers to resolve the vulnerabilities they discover.
The latest version of MLflow has continued support. If a critical vulnerability is found in the current version of MLflow, we may opt to backport patches to previous versions.
When finding a security vulnerability in MLflow, please perform the following actions:
- Open an issue on the MLflow repository. Ensure that you use
[BUG] Security Vulnerabilityas the title and do not mention any vulnerability details in the issue post. - Send a notification email to
mlflow-oss-maintainers@googlegroups.comthat contains, at a minimum:- The link to the filed issue stub.
- Your GitHub handle.
- Detailed information about the security vulnerability, evidence that supports the relevance of the finding and any reproducibility instructions for independent confirmation.
This first stage of reporting is to ensure that a rapid validation can occur without wasting the time and effort of a reporter. Future communication and vulnerability resolution will be conducted after validating the veracity of the reported issue.
An MLflow maintainer will, after validating the report:
- Acknowledge the bug during triage
- Mark the issue as
priority/critical-urgent - Open a draft GitHub Security Advisory to discuss the vulnerability details in private.
The private Security Advisory will be used to confirm the issue, prepare a fix, and publicly disclose it after the fix has been released.