MLflow and its community take security bugs seriously. We appreciate efforts to improve the security of MLflow and follow the GitHub coordinated disclosure of security vulnerabilities for responsible disclosure and prompt mitigation. We are committed to working with security researchers to resolve the vulnerabilities they discover.

The latest version of MLflow has continued support. If a critical vulnerability is found in the current version of MLflow, we may opt to backport patches to previous versions.

When finding a security vulnerability in Mlflow, open an issue on the Mlflow repo. Use [BUG] Security Vulnerability as title and do not mention vulnerability details in the issue.

An MLflow maintainer will:

• Acknowledge the bug during triage
• Mark the issue as priority/critical-urgent
• Open a draft GitHub Security Advisory to discuss the vulnerability details in private.

The private Security Advisory will be used to confirm the issue, prepare a fix, and publicly disclose it after the fix has been released.