hybrid routes LLM queries between a local model and a frontier API — the privacy promise is that queries answered locally never leave your machine. Vulnerability reports get priority attention.
Please do not open a public issue for security reports.
- Preferred: GitHub private vulnerability reporting — creates a private advisory visible only to maintainers.
- Email: support@askalf.org with
hybrid securityin the subject.
You'll get an acknowledgement within 72 hours. Please include a minimal reproduction where possible.
Only the latest release receives security fixes; there are no maintenance branches.
- Query content (or fragments of it) sent off-machine when the routing decision or configuration says it should stay local
- Prompt content that manipulates the routing decision itself (adversarial forced escalation)
- Frontier API keys or query content leaking into logs, telemetry, or error output