okr/SECURITY.md

1.6 KiB

Security Policy

Supported Versions

Version Supported
>= 1.0.0

Reporting a Vulnerability

If you discover a security vulnerability, please:

  1. Do not open a public issue
  2. Email the maintainer directly, or report privately via the Forgejo repository (git.fromaitochitta.com/open/okr)
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

What to Expect

  • Acknowledgment within 48 hours
  • Status update within 7 days
  • Fix timeline depends on severity

Security Considerations

This plugin handles OKR data which may contain sensitive organizational information:

Data Handling

  • All processing happens locally in Claude Code
  • No data is transmitted to external services (except configured integrations)
  • Linear integration uses your own API credentials

Sensitive Files

The following files contain sensitive data and are gitignored:

File Contents
.claude/okr.local.md Linear API configuration, team settings
.mcp.json MCP server credentials

Best Practices

  • Never commit okr.local.md to version control
  • Use environment variables for API keys when possible
  • Review OKR content before sharing externally
  • Consider data classification when tracking sensitive objectives

Linear Integration Security

If using Linear integration:

  • API keys are stored locally in okr.local.md
  • Use team-scoped API keys, not personal tokens
  • Rotate keys periodically
  • Review Linear's security documentation