# Security Policy

## Reporting a Vulnerability

### Types of Security Issues
We actively monitor:  
- Code vulnerabilities (RCE, XSS, authentication bypass)  
- Dependency risks (critical vulnerabilities in project dependencies, such as requirements.txt, pyproject.toml, or equivalent files)  
- Configuration flaws (insecure defaults in deployment scripts)  

### Disclosure Channels (Choose one):

1. **Encrypted Email**  
   Contact: `wangfeng19950315@163.com`  
   *Subject format: `[SECURITY] ModuleName - Brief Description`*

2. **GitHub Private Report**  
   Use GitHub's ["Report a vulnerability"](https://github.com/Megvii-BaseDetection/YOLOX/security/advisories) feature  

3. **Reporting Security Issues**  
   Please report security issues using Create new issue: https://github.com/Megvii-BaseDetection/YOLOX/issues/new


## Response Process  
1. **Acknowledgement**  
   - Initial response within **48 business hours**  
2. **Assessment**  
   - Triage using CVSS v3.1 scoring  
3. **Remediation**  
   - Critical (CVSS ≥9.0): Patch within **7 days**  
   - High (CVSS 7-8.9): Patch within **30 days**  
4. **Public Disclosure**  
   - Published via [GitHub Advisories](https://github.com/Megvii-BaseDetection/YOLOX/security/advisories)  
   - CVE assignment coordinated with [MITRE](https://cveform.mitre.org)
  
## Secure Development Practices  
- Always verify hashes when downloading dependencies:  
  ```bash
  sha256sum -c <your-dependency-hash-file>
  ```