This codebase is research / training infrastructure: it does not run adversarially-exposed services, but it does load third-party checkpoints and execute model code from the wild.
If you find a security issue — for example, a Hydra config-injection path, a vulnerable dependency we ship, a model-load deserialization gap, or a credential-leak in commit history — please do not file a public issue. Email a description and reproduction steps to the repository owner via the contact information on the GitHub profile of the owner of this repo, or open a GitHub Security Advisory on the repository.
We will:
- Acknowledge receipt within 5 business days.
- Investigate and reply with an assessment within 14 business days.
- Coordinate a fix and disclosure timeline if the issue is valid.
This is a research codebase, not a maintained product line. Only
main and the most recent release tag (currently v0.1.0) receive
fixes. Older tags / branches are provided as-is.
- Issues in upstream dependencies (
volcengine/verl,huggingface/transformers,vllm-project/vllm,Wan-Video,tgxs002/HPSv2, etc.) should be reported to those projects directly. We will pick up upstream fixes as we re-pin therequirements*.txtfiles. - Model weights from third parties (Wan, HPS-v2, DINOv2, VideoCLIP-XL, RAFT, VideoPhy) are linked-to but not redistributed by this repository. Their security / provenance is the responsibility of the publisher.