| Version | Supported |
|---|---|
| 1.0.x | ✅ |
Please do not open a public GitHub issue for security vulnerabilities.
Report security issues privately using GitHub Security Advisories.
This keeps the report confidential until a patch is ready.
Alternatively, email the maintainer directly (address on the GitHub profile).
Include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested mitigations
We follow a 90-day coordinated disclosure policy. You can expect an acknowledgement within 72 hours and a fix or mitigation plan within 14 days for confirmed issues.
Squish runs fully locally with no network traffic except:
huggingface-hubmodel downloads (initiated explicitly by the user viasquish pull)- The API server listens on
localhostonly by default
There is no authentication on the local API server by design — it is intended for single-user local use only. Do not expose the server port to untrusted networks without adding your own authentication layer (e.g. via a reverse proxy).