# Security Policy ## Reporting a Vulnerability We take security seriously. If you discover a security vulnerability, please report it responsibly. **Please do NOT report security vulnerabilities through public issues.** ### How to Report Email: hello@fromaitochitta.com Include: - Description of the vulnerability - Steps to reproduce - Potential impact - Any suggested fixes (optional) ### What to Expect - Acknowledgment within 48 hours - Regular updates on progress - Credit in the fix announcement (if desired) ## Supported Versions | Version | Supported | | ------- | ------------------ | | latest | :white_check_mark: | | < latest| :x: | ## Security Best Practices When using portfolio-optimiser-claude: - Keep dependencies updated - Keep your Claude API key in environment variables — never commit secrets - Follow the principle of least privilege for any data-source credentials ## Scope Note portfolio-optimiser-claude is a **technical framework**. Deploying organizations own their own data protection, risk, and compliance assessments (DPIA/ROS). The framework ships technical prerequisites (provenance stamping, a mandatory deterministic validator, an offline-by-default test suite) but makes no compliance guarantees.