Skip to content

Security: tinyhumansai/tinyjuice

Security

SECURITY.md

Security Policy

TinyJuice is a token compression library. Security-sensitive areas include prompt and context handling, sensitive data retention, accidental disclosure in reports or logs, policy-preserved instructions, and credentials included in model-facing context.

Report concerns to contact@tinyhumans.ai.

Supported Versions

TinyJuice is pre-1.0. Security fixes target the main branch until the project starts maintaining release branches.

Reporting A Vulnerability

Please do not open a public issue for a suspected vulnerability.

Report security concerns by emailing security@tinyhumans.ai with:

  • a description of the issue
  • affected versions or commits
  • reproduction steps or proof of concept
  • impact assessment
  • any suggested fix or mitigation

We will acknowledge reports as quickly as practical and coordinate disclosure before publishing details.

Scope

Examples of in-scope issues:

  • leaking raw prompt, context, or credential material through reports or logs
  • dropping system or safety instructions despite preservation policy
  • cross-conversation context leakage in adapter code
  • unsafe handling of credentials or secrets embedded in model input
  • dependency vulnerabilities with a practical exploit path in TinyJuice

Examples generally out of scope:

  • model hallucination or low-quality model output by itself
  • expected information loss from an explicitly selected lossy strategy
  • vulnerabilities in downstream applications that use TinyJuice incorrectly

Security Design Direction

TinyJuice should treat prompt and context input as sensitive. Compression strategies should avoid logging raw text, make lossy behavior explicit, and preserve caller-marked instructions unless the caller opts into a different policy.

There aren't any published security advisories