locateanything-coreml is intended as a local, single-user tool. The REST server binds to 127.0.0.1 by default and is not designed as a production network service.

Please report security issues through GitHub private vulnerability reporting if it is enabled for the repository. If not, open a minimal public issue that says you have a vulnerability report to share, without posting exploit details.

Useful reports include:

• unsafe file access behavior in CLI, REST, or MCP surfaces;
• denial-of-service cases triggered by malformed inputs;
• dependency vulnerabilities that affect default installs;
• cases where the local server becomes reachable beyond localhost.

Security fixes target the latest released version. Older versions may receive documentation-only guidance if the fix is risky or invasive.