portfolio-optimiser/SECURITY.md

1.3 KiB

Security Policy

Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability, please report it responsibly.

Please do NOT report security vulnerabilities through public issues.

How to Report

Email: hello@fromaitochitta.com

Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any suggested fixes (optional)

What to Expect

  • Acknowledgment within 48 hours
  • Regular updates on progress
  • Credit in the fix announcement (if desired)

Supported Versions

Version Supported
latest
< latest

Security Best Practices

When using portfolio-optimiser:

  • Keep dependencies updated
  • Use environment variables for sensitive configuration — never commit secrets
  • Prefer the local-only backend profile; the framework makes no silent network egress
  • Follow the principle of least privilege for any data-source credentials

Scope Note

portfolio-optimiser is a technical framework. Deploying organizations own their own data protection, risk, and compliance assessments (DPIA/ROS). The framework ships technical prerequisites (local-only mode, provenance, no silent egress) but makes no compliance guarantees.