NVIDIA is dedicated to the security and trust of our software products and services, including all source code repositories managed through our organization.

A machine-generated constraints.txt is maintained at the root of this repository. It lists the minimum versions of all dependencies (direct and transitive) required to avoid known CVEs tracked by Dependabot.

Downstream users who want to apply these floors can pass it to their installer:

pip install nemo-safe-synthesizer -c constraints.txt
uv pip install nemo-safe-synthesizer -c constraints.txt

If you need to report a security issue, please use the appropriate contact points outlined below. Please do not report security vulnerabilities through GitHub. If a potential security issue is inadvertently reported via a public issue or pull request, NVIDIA maintainers may limit public discussion and redirect the reporter to the appropriate private disclosure channels.

To report a potential security vulnerability in any NVIDIA product:

• Web: Security Vulnerability Submission Form

• E-Mail: [email protected]

• We encourage you to use the following PGP key for secure email communication: NVIDIA public PGP Key for communication

• Please include the following information:

• Product/Driver name and version/branch that contains the vulnerability

• Type of vulnerability (code execution, denial of service, buffer overflow, etc.)

• Instructions to reproduce the vulnerability

• Proof-of-concept or exploit code

• Potential impact of the vulnerability, including how an attacker could exploit the vulnerability

While NVIDIA currently does not have a bug bounty program, we do offer acknowledgement when an externally reported security issue is addressed under our coordinated vulnerability disclosure policy. Please visit our Product Security Incident Response Team (PSIRT) policies page for more information.

For all security-related concerns, please visit NVIDIA's Product Security portal at https://www.nvidia.com/en-us/security