portfolio-optimiser/SECURITY.md

44 lines
1.3 KiB
Markdown

# Security Policy
## Reporting a Vulnerability
We take security seriously. If you discover a security vulnerability, please report it responsibly.
**Please do NOT report security vulnerabilities through public issues.**
### How to Report
Email: hello@fromaitochitta.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
### What to Expect
- Acknowledgment within 48 hours
- Regular updates on progress
- Credit in the fix announcement (if desired)
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| latest | :white_check_mark: |
| < latest| :x: |
## Security Best Practices
When using portfolio-optimiser:
- Keep dependencies updated
- Use environment variables for sensitive configuration — never commit secrets
- Prefer the local-only backend profile; the framework makes no silent network egress
- Follow the principle of least privilege for any data-source credentials
## Scope Note
portfolio-optimiser is a **technical framework**. Deploying organizations own their own data
protection, risk, and compliance assessments (DPIA/ROS). The framework ships technical
prerequisites (local-only mode, provenance, no silent egress) but makes no compliance guarantees.