The following versions of DataVerse currently receive security updates:

We take security seriously and appreciate your efforts to responsibly disclose any vulnerabilities.

• Preferred Method: Email [email protected] with "[DataVerse Security]" in the subject
• Alternative: Create a GitHub issue with the "security" label (for non-critical issues)

1. Description of the vulnerability
2. Steps to reproduce
3. Potential impact assessment
4. Any suggested mitigation approaches

1. Acknowledgement: You will receive a response within 3 business days
2. Investigation: Our team will verify the report within 10 business days
3. Update: Regular status updates throughout the process
4. Resolution: Patch released or mitigation guidance provided

Particular attention is given to vulnerabilities in:

• Model serialization/deserialization
• Data input validation
• Authentication/authorization flows
• Sensitive data handling in:
  • Stock price estimation modules
  • User-uploaded data processing
  • Model inference endpoints

1. Always validate input data before processing
2. Run DataVerse in isolated environments when handling sensitive data
3. Regularly update to the latest supported version
4. Review model artifacts from untrusted sources before loading

Critical vulnerabilities will receive patches within:

• 72 hours for critical issues (CVSS ≥ 9.0)
• 14 days for high severity issues (CVSS 7.0-8.9)
• Next scheduled release for medium/low severity

DataVerse uses the following security measures for dependencies:

• Regular scans with safety and dependabot
• Pinned requirements with hash verification
• Quarterly dependency audits

For more information about our security practices, please contact [email protected].