SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Flux result 164734b3 df8a 49a5 ba15 4dacf4dca1c7
#
Application Security
#
DevSecOps
#
Supply Chain

PyTorch Foundation adds Safetensors for safer AI models

Wed, 8th Apr 2026
Author image
By Sean Mitchell, Publisher

The PyTorch Foundation has added Safetensors as a hosted project, bringing a widely used AI model distribution format into its open source portfolio.

Developed and maintained by Hugging Face, Safetensors is designed to prevent arbitrary code execution when model files are shared. It addresses a long-standing risk tied to earlier pickle-based approaches used in parts of the machine learning ecosystem.

Safetensors now joins DeepSpeed, Helion, PyTorch, Ray and vLLM in the Foundation's hosted project line-up. The addition is part of its effort to support open source AI projects under the Linux Foundation.

Model distribution has become a more sensitive part of the AI development chain as organisations move models from research into production. In that process, file formats and serialisation methods matter because they can introduce security risks if they allow untrusted code to run during loading.

Safetensors is meant to avoid that problem by storing tensor data in a way that does not permit arbitrary code execution. It has also gained broad use as a metadata format for model distribution, particularly in the open source machine learning community.

Mark Collier, Executive Director of the PyTorch Foundation, said the addition reflects a broader effort to make open source AI tooling safer to use at scale.

"Safetensors' contribution to the PyTorch Foundation is an important step towards scaling production-grade AI models," said Collier.

"Safetensors ensures secure model distribution and de-risks code execution, all while offering significant speed across complex computing architectures. For security, Safetensors is a crucial piece of the open source AI stack that will drive fast, secure, and technically advanced AI."

Security focus

The issue at the centre of the announcement is not the model itself, but how models are packaged and shared. In practice, developers often download model weights and related files from repositories before running them locally or in cloud systems. If those files use formats that can execute code, users may face hidden risks.

That has made safer serialisation formats an increasingly important part of AI infrastructure. The rise of open-weight models has increased the volume of files exchanged across research groups, developers and companies, drawing more attention to how these artefacts are distributed.

Safetensors has emerged as one of the most prominent alternatives. Its design has helped make it a standard choice for many model publishers seeking to reduce exposure to unsafe loading methods while keeping files easy to share and use.

Supporters of the move said joining the PyTorch Foundation could widen the project's reach and strengthen its governance within a larger open source structure.

"Safetensors joining the PyTorch Foundation is an important step towards using a safe serialization format everywhere by default. The new ecosystem and exposure the library will gain from this move will solidify its security guarantees and usability. Safetensors is a well-established project, adopted by the ecosystem at large, but we're still convinced we're at the very beginning of its lifecycle: the coming months will see significant growth, and we couldn't think of a better home for that next chapter than the PyTorch Foundation," said Luc Georges, Co-Maintainer, Safetensors, and Lysandre Debut, Chief Open Source Officer, Hugging Face.

Open source stack

The addition also reflects how AI foundations are expanding beyond core training frameworks into adjacent infrastructure. While PyTorch remains central to the Foundation's identity, its hosted project list now spans model training, inference and model-handling tools.

That broader remit has become more relevant as open source AI projects are used together in production environments. In those settings, security and interoperability issues can emerge from the links between tools rather than from any one framework in isolation.

Matt White, who holds roles at both the Linux Foundation and the PyTorch Foundation, said Safetensors and Helion reflect that broader technical direction.

"Safetensors joining the PyTorch Foundation promises safer, more interoperable packaging for model artifacts. The project has become a de facto standard for open-weight model distribution by halting risk associated with arbitrary code execution while also supporting fast, practical loading workflows. Together with Helion, these contributions to the Foundation solidify the technical future for open source AI," said Matt White, Global CTO of AI at the Linux Foundation and CTO of the PyTorch Foundation.

Related stories
The missing link in eIDV: Why data quality drives fraud prevention
Tenable flags Microsoft GitHub workflow flaw risking code
Google Cloud unveils Gemini agent platform & new TPUs
Acronis launches AI protection for managed service providers
Check Point tops Miercom hybrid mesh security benchmark

Top stories

Google Cloud unveils AI security tools & fraud defence
Google expands Gemini Enterprise with governance features
HackerOne launches h1 Validation to verify exploitable flaws
Bedrock Data extends ArgusAI governance to Google Vertex AI
Claroty names John Ryan to lead global partner ecosystem