# Security

## Reporting Vulnerabilities

If you discover a security vulnerability, please report it privately:

- **Email:** Elmadani.SALKA@proton.me
- **Subject:** [SECURITY] Brief description
- **Do NOT** open a public issue for security vulnerabilities

Response time: within 48 hours. Critical vulnerabilities are patched within 7 days.

## Security Design

Inference-X is designed for deployment in security-sensitive environments (defense, healthcare, finance, critical infrastructure).

### Air-Gap Architecture

- No network calls during inference. Ever.
- No telemetry, analytics, or phone-home behavior
- No external dependencies (zero supply-chain attack surface)
- Models are local files — no download during operation
- The API server (`--serve`) is opt-in and local-only by default

### Build Integrity

- Single-file compilation — full source is visible and auditable
- No build-time code generation or preprocessor tricks
- Binary reproducibility: same source + same compiler = same binary
- No obfuscation — all code is readable

### Identity Verification

The binary carries compile-time authorship attribution for intellectual property protection. This does not affect functionality or performance.

## Supported Versions

| Version | Supported |
|---------|-----------|
| Latest  | ✅        |

## Trademarks

"Inference-X" is a trademark of Salka Elmadani. See ENFORCEMENT.md for usage guidelines.