portfolio-optimiser-claude/SECURITY.md

44 lines
1.2 KiB
Markdown

# Security Policy
## Reporting a Vulnerability
We take security seriously. If you discover a security vulnerability, please report it responsibly.
**Please do NOT report security vulnerabilities through public issues.**
### How to Report
Email: hello@fromaitochitta.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
### What to Expect
- Acknowledgment within 48 hours
- Regular updates on progress
- Credit in the fix announcement (if desired)
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| latest | :white_check_mark: |
| < latest| :x: |
## Security Best Practices
When using portfolio-optimiser-claude:
- Keep dependencies updated
- Keep your Claude API key in environment variables — never commit secrets
- Follow the principle of least privilege for any data-source credentials
## Scope Note
portfolio-optimiser-claude is a **technical framework**. Deploying organizations own their own
data protection, risk, and compliance assessments (DPIA/ROS). The framework ships technical
prerequisites (provenance stamping, a mandatory deterministic validator, an offline-by-default
test suite) but makes no compliance guarantees.