We take security seriously. If you discover a security vulnerability, please follow these steps:

• Do not open a public issue
• Do not discuss the vulnerability publicly
• Do not submit a pull request with the fix publicly

1. Email security reports to: sweeper.wailers.0s@icloud.com
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)
   • Your contact information

• Acknowledgment: Within 48 hours
• Assessment: Within 7 days
• Fix timeline: Depends on severity
  • Critical: 7 days
  • High: 30 days
  • Medium: 90 days
  • Low: Next release

We follow responsible disclosure:

1. We confirm the vulnerability
2. We develop and test a fix
3. We notify affected users (if applicable)
4. We publicly disclose after fix is available

When using CFAdv:

• Never commit API keys to version control
• Use environment variables or secure key management
• Rotate keys regularly

• Be cautious with sensitive data in context blocks
• Review privacy scores for sensitive content
• Use appropriate retention policies

• Keep dependencies updated
• Review security advisories for dependencies
• Use pip-audit to check for known vulnerabilities

CFAdv includes security-focused features:

• Privacy Scoring: Identifies potentially sensitive content
• Trust Scoring: Evaluates source reliability
• Content Validation: Sanitizes ingested content
• Audit Logging: Tracks context usage

• OCR may extract sensitive text from images
• PDF parsing may not fully sanitize all content
• Code extraction may include credentials in comments

Review all extracted content before use in production.

For security questions not related to vulnerabilities:

• GitHub Discussions: https://github.com/rotsl/CFAdv/discussions
• Email: sweeper.wailers.0s@icloud.com