okr/SECURITY.md

60 lines
1.6 KiB
Markdown

# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| >= 1.0.0 | :white_check_mark: |
## Reporting a Vulnerability
If you discover a security vulnerability, please:
1. **Do not** open a public issue
2. Email the maintainer directly, or report privately via the Forgejo repository (git.fromaitochitta.com/open/okr)
3. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
## What to Expect
- Acknowledgment within 48 hours
- Status update within 7 days
- Fix timeline depends on severity
## Security Considerations
This plugin handles OKR data which may contain sensitive organizational information:
### Data Handling
- All processing happens locally in Claude Code
- No data is transmitted to external services (except configured integrations)
- Linear integration uses your own API credentials
### Sensitive Files
The following files contain sensitive data and are gitignored:
| File | Contents |
|------|----------|
| `.claude/okr.local.md` | Linear API configuration, team settings |
| `.mcp.json` | MCP server credentials |
### Best Practices
- Never commit `okr.local.md` to version control
- Use environment variables for API keys when possible
- Review OKR content before sharing externally
- Consider data classification when tracking sensitive objectives
## Linear Integration Security
If using Linear integration:
- API keys are stored locally in `okr.local.md`
- Use team-scoped API keys, not personal tokens
- Rotate keys periodically
- Review Linear's security documentation