If you discover a security vulnerability in Cast, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please use GitHub's private vulnerability reporting to submit your report.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix timeline: Depends on severity, typically within 2 weeks for critical issues

Cast is a library that runs locally on Apple Silicon devices. Security concerns primarily involve:

• Malicious model outputs bypassing constrained decoding
• Memory safety issues in grammar compilation or sampling
• Denial of service through crafted schemas or inputs

Only the latest release receives security updates.