44 lines
1.3 KiB
Markdown
44 lines
1.3 KiB
Markdown
# Security Policy
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
We take security seriously. If you discover a security vulnerability, please report it responsibly.
|
|
|
|
**Please do NOT report security vulnerabilities through public issues.**
|
|
|
|
### How to Report
|
|
|
|
Email: hello@fromaitochitta.com
|
|
|
|
Include:
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact
|
|
- Any suggested fixes (optional)
|
|
|
|
### What to Expect
|
|
|
|
- Acknowledgment within 48 hours
|
|
- Regular updates on progress
|
|
- Credit in the fix announcement (if desired)
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| latest | :white_check_mark: |
|
|
| < latest| :x: |
|
|
|
|
## Security Best Practices
|
|
|
|
When using portfolio-optimiser:
|
|
- Keep dependencies updated
|
|
- Use environment variables for sensitive configuration — never commit secrets
|
|
- Prefer the local-only backend profile; the framework makes no silent network egress
|
|
- Follow the principle of least privilege for any data-source credentials
|
|
|
|
## Scope Note
|
|
|
|
portfolio-optimiser is a **technical framework**. Deploying organizations own their own data
|
|
protection, risk, and compliance assessments (DPIA/ROS). The framework ships technical
|
|
prerequisites (local-only mode, provenance, no silent egress) but makes no compliance guarantees.
|