We support the latest minor release plus the previous one. Older minors receive security fixes only at our discretion.

We take security seriously. If you discover a security vulnerability in LLMKube, please report it responsibly.

1. Do NOT open a public GitHub issue for security vulnerabilities.
2. Preferred: use GitHub's private vulnerability reporting. Reports stay private, are tracked in one place, and let us publish an advisory once a fix ships.
3. Alternative: email contact@defilan.com.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Resolution Target: Within 30 days for critical issues

This security policy applies to:

• LLMKube controller
• CLI (llmkube)
• Helm charts
• Container images published to GHCR

• Third-party dependencies (report to upstream)
• LLM model vulnerabilities (report to model providers)
• Self-hosted llama.cpp issues (report to llama.cpp project)

When deploying LLMKube:

1. Use RBAC: Restrict who can create InferenceService resources
2. Network Policies: Isolate inference pods from sensitive workloads
3. Resource Limits: Always set CPU/memory limits to prevent DoS
4. Image Verification: Use image digests in production Helm values
5. Air-gapped Models: Pre-download models for sensitive environments