We release security updates for the following versions:

We take the security of the ALPR System seriously. If you believe you have found a security vulnerability, please report it to us responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please email security concerns to:

• Email: suteny0r@gmail.com
• Subject: [SECURITY] ALPR System - Brief description

Please include the following information:

1. Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
2. Full paths of source file(s) related to the manifestation of the issue
3. Location of affected source code (tag/branch/commit or direct URL)
4. Step-by-step instructions to reproduce the issue
5. Proof-of-concept or exploit code (if possible)
6. Impact of the issue, including how an attacker might exploit it

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Varies based on severity
  • Critical: 1-7 days
  • High: 7-30 days
  • Medium: 30-90 days
  • Low: Best effort

• Please give us reasonable time to fix the issue before public disclosure
• We will credit you in the security advisory (unless you prefer to remain anonymous)
• We will notify you when the fix is released

This software processes video feeds and may capture personal information. Users are responsible for:

1. Legal Compliance:

   • Comply with local laws regarding video surveillance
   • Comply with data protection regulations (GDPR, CCPA, etc.)
   • Obtain necessary permissions for surveillance

2. Data Protection:

   • Secure storage of captured images and license plate data
   • Implement access controls for sensitive data
   • Regular deletion of old data per retention policies
   • Encryption of data at rest and in transit

3. Privacy Features:

   • Enable face blurring if capturing public areas
   • Limit data retention to necessary periods
   • Implement data anonymization where possible

If using RTSP cameras or web API:

1. Authentication:

   • Use strong passwords for camera credentials
   • Store credentials in environment variables, not config files
   • Use HTTPS/TLS for API endpoints

2. Network Isolation:

   • Run cameras on isolated network segment
   • Use VPN for remote access
   • Implement firewall rules

3. Updates:

   • Keep dependencies updated
   • Monitor for security advisories
   • Apply patches promptly

1. API Keys and Secrets:

   # DON'T commit secrets to git
   # Use environment variables instead
   database:
     password: ${DB_PASSWORD}  # Read from environment

2. File Permissions:

   • Restrict access to configuration files
   • Limit write access to output directories
   • Run with minimal necessary privileges

3. Database Security:

   • Use parameterized queries to prevent SQL injection
   • Implement proper authentication
   • Encrypt sensitive fields

1. Model Files:

   • Downloaded models are executed as code
   • Only download models from trusted sources (official repositories)
   • Verify checksums when possible

2. Video Input:

   • Untrusted video files may contain exploits
   • Validate video file format before processing
   • Run in sandboxed environment if processing user-uploaded videos

3. OCR Output:

   • License plate text may contain injection attacks
   • Sanitize output before displaying in web interfaces
   • Validate format before database insertion

1. Least Privilege:

   • Run application with minimal required permissions
   • Don't run as root/administrator

2. Monitoring:

   • Monitor logs for suspicious activity
   • Set up alerts for unusual patterns
   • Regular security audits

3. Backups:

   • Regular backups of configuration and data
   • Test backup restoration
   • Secure backup storage

1. Dependencies:

   • Regularly update dependencies
   • Use pip-audit to check for known vulnerabilities
   • Pin dependency versions in production

2. Code Review:

   • Review all code changes for security implications
   • Use static analysis tools
   • Follow secure coding guidelines

3. Testing:

   • Test with malformed/malicious inputs
   • Validate error handling
   • Check for information leakage in error messages

No vulnerabilities have been disclosed yet.

Last Updated: 2025-10-20

For questions about this security policy, contact suteny0r@gmail.com