# Security Policy ## Reporting a Vulnerability We take security seriously. If you discover a security vulnerability, please report it responsibly. **Please do NOT report security vulnerabilities through public issues.** ### How to Report Email: hello@fromaitochitta.com Include: - Description of the vulnerability - Steps to reproduce - Potential impact - Any suggested fixes (optional) ### What to Expect - Acknowledgment within 48 hours - Regular updates on progress - Credit in the fix announcement (if desired) ## Supported Versions | Version | Supported | | ------- | ------------------ | | latest | :white_check_mark: | | < latest| :x: | ## Security Best Practices When using portfolio-optimiser: - Keep dependencies updated - Use environment variables for sensitive configuration — never commit secrets - Prefer the local-only backend profile; the framework makes no silent network egress - Follow the principle of least privilege for any data-source credentials ## Scope Note portfolio-optimiser is a **technical framework**. Deploying organizations own their own data protection, risk, and compliance assessments (DPIA/ROS). The framework ships technical prerequisites (local-only mode, provenance, no silent egress) but makes no compliance guarantees.