# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |

## Reporting a Vulnerability

**Please DO NOT report security vulnerabilities via public GitHub issues.**

### Private Reporting

Send vulnerability reports to: **jpl@jesusperez.com**

Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

### Response Timeline

- **Acknowledgment**: Within 48 hours
- **Initial assessment**: Within 1 week
- **Fix timeline**: Depends on severity (coordinated with reporter)
- **Public disclosure**: After fix is released (coordinated disclosure)

### Security Advisories

We use [GitHub Security Advisories](https://github.com/jesusperezlorenzo/typedialog/security/advisories) for:
- Private coordination on fixes
- CVE assignment
- Public disclosure after fixes

## Security Best Practices

### For Users

1. **Verify downloads**: Check SHA256 checksums
   ```bash
   sha256sum -c SHA256SUMS
   ```

2. **Use latest version**: Security fixes are not backported

3. **Audit dependencies**: Run `just dev::audit` regularly

### For Contributors

1. **Input validation**: Validate all user input
2. **No secrets in code**: Use environment variables
3. **Dependency audits**: Check `cargo audit` before PRs
4. **SBOM compliance**: Ensure SBOM.*.json are updated

## Known Security Considerations

### Encryption Features
- TypeDialog uses industry-standard encryption (secretumvault)
- Configuration files may contain sensitive data - protect with file permissions

### Web Backend
- Production configs enable CSRF protection and rate limiting
- See `config/web/production.toml` for security settings

### AI Backend
- API keys stored in environment variables only
- No API keys in logs or error messages

## Dependency Security

We use:
- `cargo-audit` for known vulnerabilities
- `cargo-deny` for license/security policies
- Automated dependency updates via Renovate

## Security Scanning

CI pipeline includes:
- Dependency audit (`cargo audit`)
- License compliance (`cargo-deny`)
- SBOM verification (SPDX + CycloneDX)

## Contact

For security concerns: contact via repositories.

For general support: GitHub Issues