LearningMachines maintains security updates for the following versions:

As this is a foundational repository consisting of independent projects, each project maintains its own version in pyproject.toml. Security patches are applied to all actively maintained projects.

LearningMachines is a collection of machine learning engineering primitives and toolkits designed for:

• Educational purposes
• Research prototypes
• Foundational building blocks for larger systems

Important: These components are not hardened for direct production deployment in security-critical environments without additional layers of protection and validation.

1. Input Validation: Projects assume trusted input; additional validation may be required for production use.
2. Model Security: From-scratch implementations prioritize clarity over security optimizations.
3. Dependency Chain: Projects rely on external dependencies (numpy, sklearn, etc.) which should be kept updated.
4. CLI Security: CLI tools do not implement authentication or authorization; suitable for development/research environments only.

We take security seriously. If you discover a security vulnerability in LearningMachines, please report it responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security issues via one of the following methods:

1. Email: Send details to founder@nbr.company with the subject line "SECURITY: LearningMachines Vulnerability Report"
2. GitHub Security Advisory: Use the GitHub Security Advisory feature (preferred)

Please provide as much detail as possible:

• Affected component(s): Which project(s) in the repository
• Vulnerability type: E.g., code injection, denial of service, information disclosure
• Steps to reproduce: Clear instructions to demonstrate the issue
• Impact assessment: Potential consequences if exploited
• Suggested fix: If you have ideas for remediation
• Disclosure timeline: Your preferred timeline for public disclosure

• Initial Response: Within 48 hours of report
• Triage: Within 5 business days
• Fix Development: Depends on severity and complexity
• Disclosure: Coordinated with reporter, typically within 90 days

Security patches are released as:

1. Patch Versions: For individual project fixes (e.g., 0.2.1 → 0.2.2)
2. GitHub Security Advisories: Published for high-severity issues
3. CHANGELOG.md: All security fixes documented with clear descriptions

If you're consuming LearningMachines components:

1. Pin Versions: Use specific versions or commit SHAs in production
2. Review Dependencies: Run pip list and audit transitive dependencies
3. Isolate Environments: Use virtual environments or containers
4. Input Validation: Always validate user inputs before passing to LearningMachines functions
5. Monitor Updates: Watch the repository for security advisories
6. Security Scanning: Use tools like safety, bandit, or pip-audit on your integrated codebase

Contributors should follow secure coding practices:

• Validate all inputs, especially in CLI and data loading functions
• Avoid eval(), exec(), or dynamic code execution
• Handle file operations safely (check paths, validate formats)
• Document security assumptions in code comments
• Add tests for boundary conditions and malformed inputs
• Keep dependencies minimal and up-to-date

Projects use pyproject.toml with pinned dependency ranges:

dependencies = [
    "numpy>=1.23,<2.0",
    "pandas>=2.0,<3.0",
]

This balances security updates with API stability.

• All projects write outputs to timestamped artifacts/ directories
• No execution of generated artifacts
• CLI tools do not auto-execute scripts or models

LearningMachines relies on well-established libraries:

• numpy: Numerical computing
• pandas: Data manipulation
• scikit-learn: ML algorithms
• matplotlib/seaborn: Visualization
• statsmodels: Statistical models
• typer/rich: CLI interfaces

Security updates to these dependencies are incorporated promptly. Monitor:

• GitHub Advisory Database
• PyPI Security Advisories
• Snyk Vulnerability Database

We follow a coordinated disclosure process:

1. Reporter submits vulnerability privately
2. Maintainers acknowledge and investigate
3. Fix is developed and tested
4. Security advisory is drafted
5. Fix is released with advisory
6. Public disclosure occurs after fix is available

Once fixed:

• GitHub Security Advisory published
• CVE requested if applicable
• CHANGELOG.md updated
• Release notes include security notice
• Reporter credited (if desired)

We appreciate responsible disclosure. Security researchers who report valid vulnerabilities will be acknowledged in ACKNOWLEDGMENTS.md (with permission).

For non-security questions about the project, please use:

• GitHub Discussions
• GitHub Issues (for bugs/features)
• Email for private inquiries

For security concerns, always use the reporting methods above.

Last Updated: January 5, 2026

Thank you for helping keep LearningMachines and its users safe!