If you discover a security vulnerability in wuming, please report it responsibly.

Contact: security@taoq.ai

Alternatively, you can use GitHub Security Advisories to report vulnerabilities privately.

Please do not open a public GitHub issue for security vulnerabilities.

• Regular expression denial of service (ReDoS) in any detector pattern
• Incorrect redaction that leaks PII (e.g., partial replacement, off-by-one in byte offsets)
• Panics or crashes caused by crafted input
• Information leakage through error messages

• Feature requests for new PII types or locales
• False positives or false negatives in detection (these are bugs, not security issues)
• Performance issues

• Acknowledgment: within 3 business days
• Initial assessment: within 7 business days
• Fix or mitigation: best effort, typically within 30 days for confirmed vulnerabilities

This library processes text entirely in-process. It makes no network calls, stores no data, and has no external dependencies. The attack surface is limited to the input text provided by the caller.