Report issues
privately.
We accept security reports through a private disclosure policy. This lets us patch vulnerabilities before making them public.
Supported Versions
Only the latest release is actively supported for security fixes. We do not maintain legacy branches for security patches.
Response Times
All valid reports are acknowledged within 48 to 72 hours. Resolution timelines are dictated by severity and technical complexity.
Private Disclosure
Do not open public GitHub issues for security vulnerabilities. Use the private draft advisory path instead.
High-Severity Examples
Vulnerabilities that trigger an advisory and prioritized fix.
Extracting raw face images or biometric templates unexpectedly
Bypassing consent checks for enrollment or recognition
Reading another organization's dashboard data through a tenant-isolation bug
Modifying attendance or audit data without authorization
Protection Scope
This policy covers the open-source Facenox Desktop core and its integration points. Live remote environments and hosting systems are governed by their own security policies.