60 lines
1.6 KiB
Markdown
60 lines
1.6 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| >= 1.0.0 | :white_check_mark: |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
If you discover a security vulnerability, please:
|
|
|
|
1. **Do not** open a public issue
|
|
2. Email the maintainer directly, or report privately via the Forgejo repository (git.fromaitochitta.com/open/okr)
|
|
3. Include:
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact
|
|
- Suggested fix (if any)
|
|
|
|
## What to Expect
|
|
|
|
- Acknowledgment within 48 hours
|
|
- Status update within 7 days
|
|
- Fix timeline depends on severity
|
|
|
|
## Security Considerations
|
|
|
|
This plugin handles OKR data which may contain sensitive organizational information:
|
|
|
|
### Data Handling
|
|
|
|
- All processing happens locally in Claude Code
|
|
- No data is transmitted to external services (except configured integrations)
|
|
- Linear integration uses your own API credentials
|
|
|
|
### Sensitive Files
|
|
|
|
The following files contain sensitive data and are gitignored:
|
|
|
|
| File | Contents |
|
|
|------|----------|
|
|
| `.claude/okr.local.md` | Linear API configuration, team settings |
|
|
| `.mcp.json` | MCP server credentials |
|
|
|
|
### Best Practices
|
|
|
|
- Never commit `okr.local.md` to version control
|
|
- Use environment variables for API keys when possible
|
|
- Review OKR content before sharing externally
|
|
- Consider data classification when tracking sensitive objectives
|
|
|
|
## Linear Integration Security
|
|
|
|
If using Linear integration:
|
|
|
|
- API keys are stored locally in `okr.local.md`
|
|
- Use team-scoped API keys, not personal tokens
|
|
- Rotate keys periodically
|
|
- Review Linear's security documentation
|