Only the latest released version is considered supported for security fixes. Older releases are not treated as supported branches.
Security summary
Report security issues privately.
The public site is not the full policy page. The detailed security policy lives in the main Facenox repository.
Reports are normally acknowledged within 48 to 72 hours. The exact fix timeline still depends on severity and reproducibility.
Reporting
Use a private disclosure path, not a public issue.
Open a GitHub draft security advisory for the main Facenox repository instead of posting a public issue.
If GitHub advisories are not available to you, contact the maintainer privately instead of exposing the issue publicly.
High-severity examples
- Extracting raw face images or biometric templates unexpectedly
- Bypassing consent checks for enrollment or recognition
- Reading another organization's cloud data through a tenant-isolation bug
- Modifying attendance or audit data without authorization
Scope reminder
The open-source repository covers the desktop application and the desktop-side cloud integration points. A live Facenox Cloud environment has its own infrastructure and should be reviewed separately.