Currently supported versions with security updates:

• Never commit API keys to the repository
• Store API keys in .env file (already in .gitignore)
• Use environment variables for sensitive configuration
• Rotate API keys regularly

• ScopeSignal processes construction project text locally
• No data is sent to external services except the configured LLM API
• Cache files are stored locally in .scopesignal_cache/
• Export files may contain sensitive project information - handle appropriately

We regularly monitor dependencies for security vulnerabilities:

• Core dependencies are minimal and well-maintained
• Run pip list --outdated to check for updates
• Review requirements.txt for current versions

When using LLM APIs (DeepSeek, Claude, OpenAI):

• Use API keys with appropriate scopes and rate limits
• Monitor API usage at provider dashboard
• Be aware that project update text is sent to the API provider
• Review provider's data retention and privacy policies

If you discover a security vulnerability, please:

1. Do NOT open a public issue
2. Email the maintainers directly (check GitHub profile for contact)
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if available)

• Initial response: Within 48 hours
• Status update: Within 7 days
• Fix timeline: Depends on severity
  • Critical: Within 7 days
  • High: Within 30 days
  • Medium: Next release
  • Low: Next major version

1. Keep dependencies updated: pip install -r requirements.txt --upgrade
2. Protect API keys: Never share or commit .env file
3. Review exports: Check exported files before sharing
4. Validate inputs: Don't process untrusted or malicious text
5. Secure cache: Protect .scopesignal_cache/ directory permissions

1. No secrets in code: Use environment variables
2. Input validation: Sanitize user inputs
3. Secure defaults: Prefer secure configurations
4. Dependency review: Vet new dependencies carefully
5. Code review: Security-focused review for all PRs

ScopeSignal is a classification tool, not a security system:

• Does not authenticate users
• Does not encrypt cached data
• Does not sanitize inputs beyond basic validation
• Does not rate-limit API calls (depends on provider)

• Local development and analysis
• Trusted input data
• Single-user scenarios
• Non-production environments

For production deployments with sensitive data, additional security measures are recommended.

Security fixes are released as patch versions (e.g., 2.0.1) and documented in:

• CHANGELOG.md
• GitHub Security Advisories
• Release notes

We appreciate responsible disclosure of security issues. Contributors who report valid security vulnerabilities will be acknowledged in release notes (with permission).

Last updated: January 2026