Please do not open a public GitHub issue for security vulnerabilities.

Report security issues privately using GitHub Security Advisories.
This keeps the report confidential until a patch is ready.

Alternatively, email the maintainer directly (address on the GitHub profile).

Include:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested mitigations

We follow a 90-day coordinated disclosure policy. You can expect an acknowledgement within 72 hours and a fix or mitigation plan within 14 days for confirmed issues.

Squish runs fully locally with no network traffic except:

• huggingface-hub model downloads (initiated explicitly by the user via squish pull)
• The API server listens on localhost only by default

There is no authentication on the local API server by design — it is intended for single-user local use only. Do not expose the server port to untrusted networks without adding your own authentication layer (e.g. via a reverse proxy).