44 lines
1.2 KiB
Markdown
44 lines
1.2 KiB
Markdown
# Security Policy
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
We take security seriously. If you discover a security vulnerability, please report it responsibly.
|
|
|
|
**Please do NOT report security vulnerabilities through public issues.**
|
|
|
|
### How to Report
|
|
|
|
Email: hello@fromaitochitta.com
|
|
|
|
Include:
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact
|
|
- Any suggested fixes (optional)
|
|
|
|
### What to Expect
|
|
|
|
- Acknowledgment within 48 hours
|
|
- Regular updates on progress
|
|
- Credit in the fix announcement (if desired)
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| latest | :white_check_mark: |
|
|
| < latest| :x: |
|
|
|
|
## Security Best Practices
|
|
|
|
When using portfolio-optimiser-claude:
|
|
- Keep dependencies updated
|
|
- Keep your Claude API key in environment variables — never commit secrets
|
|
- Follow the principle of least privilege for any data-source credentials
|
|
|
|
## Scope Note
|
|
|
|
portfolio-optimiser-claude is a **technical framework**. Deploying organizations own their own
|
|
data protection, risk, and compliance assessments (DPIA/ROS). The framework ships technical
|
|
prerequisites (provenance stamping, a mandatory deterministic validator, an offline-by-default
|
|
test suite) but makes no compliance guarantees.
|