1.6 KiB
1.6 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| >= 1.0.0 | ✅ |
Reporting a Vulnerability
If you discover a security vulnerability, please:
- Do not open a public issue
- Email the maintainer directly, or report privately via the Forgejo repository (git.fromaitochitta.com/open/okr)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
What to Expect
- Acknowledgment within 48 hours
- Status update within 7 days
- Fix timeline depends on severity
Security Considerations
This plugin handles OKR data which may contain sensitive organizational information:
Data Handling
- All processing happens locally in Claude Code
- No data is transmitted to external services (except configured integrations)
- Linear integration uses your own API credentials
Sensitive Files
The following files contain sensitive data and are gitignored:
| File | Contents |
|---|---|
.claude/okr.local.md |
Linear API configuration, team settings |
.mcp.json |
MCP server credentials |
Best Practices
- Never commit
okr.local.mdto version control - Use environment variables for API keys when possible
- Review OKR content before sharing externally
- Consider data classification when tracking sensitive objectives
Linear Integration Security
If using Linear integration:
- API keys are stored locally in
okr.local.md - Use team-scoped API keys, not personal tokens
- Rotate keys periodically
- Review Linear's security documentation