This document outlines the security policies and procedures for the Unbitrium project, a production-grade Federated Learning Simulator developed at the Technical University of Denmark.
The following versions of Unbitrium receive security updates:
| Version | Support Status | End of Support |
|---|---|---|
| 1.0.x | Active | To be determined |
| < 1.0 | Unsupported | Not applicable |
Security patches are released as point releases (e.g., 1.0.1, 1.0.2) and maintain backward compatibility within the same major version. Users are strongly encouraged to update to the latest patch release.
To report a security vulnerability, please contact the project maintainer directly:
When submitting a vulnerability report, please include the following information:
Vulnerability Type: Classification of the vulnerability (e.g., remote code execution, information disclosure, denial of service, injection attack).
Affected Component: The specific module, function, or file containing the vulnerability.
Location: File path, line numbers, and relevant code snippets if available.
Affected Versions: List of versions known to be affected.
Reproduction Steps: Detailed, step-by-step instructions to reproduce the vulnerability.
Proof of Concept: Code, scripts, or other materials demonstrating the vulnerability.
Impact Assessment: Description of the potential security impact and attack scenarios.
Suggested Remediation: If available, proposed fixes or mitigation strategies.
Please do NOT disclose the vulnerability publicly through GitHub Issues, pull requests, discussion forums, social media, or other public channels until a fix has been released and an appropriate disclosure period has elapsed.
The Unbitrium project follows coordinated vulnerability disclosure practices in accordance with industry standards.
Upon receiving a vulnerability report, the security team will:
The security team will:
Based on the severity assessment:
Following the release of a security fix:
| Phase | Timeframe | Description |
|---|---|---|
| Acknowledgment | 48 hours | Confirmation of report receipt |
| Initial Assessment | 7 days | Severity evaluation and verification |
| Critical Fix | 30 days | Remediation for critical vulnerabilities |
| High Severity Fix | 60 days | Remediation for high severity issues |
| Medium/Low Fix | 90 days | Remediation for medium and low severity issues |
| Public Disclosure | Post-fix | After patch is available to users |
requirements.txt, poetry.lock) to ensure reproducible and auditable installations.The project employs the following security tools:
| Tool | Purpose |
|---|---|
| Dependabot | Automated dependency updates and vulnerability alerts |
| CodeQL | Static application security testing (SAST) |
| OSV-Scanner | Open source vulnerability detection |
| pip-audit | Python dependency vulnerability scanning |
| Update Type | Frequency |
|---|---|
| Security Patches | Immediate upon availability |
| Minor Updates | Monthly review cycle |
| Major Updates | Quarterly review cycle |
The following components are covered by this security policy:
src/unbitrium/)The following are not covered by this security policy:
We appreciate the security research community’s efforts in identifying and responsibly disclosing vulnerabilities. Contributors who report security issues will be acknowledged in release notes and security advisories unless anonymity is requested.
Last Updated: January 2026
This security policy is subject to revision. Please check for updates periodically.