Security Policy

Supported Versions

Security fixes are applied on master.

If a fix is shipped in a release, assume older releases remain vulnerable unless explicitly noted otherwise.

Do not open a public GitHub issue for a suspected vulnerability.

Report it privately to bee@skerritt.blog with a subject like [ciphey security] <short summary>.

If the GitHub UI shows a Report a vulnerability option for this repository, you can use that private reporting flow instead of email.

Include:

Plain text email is acceptable. If you need a different reporting channel, ask in the initial email.

Maintainers will aim to:

Please allow time for a fix before public disclosure.

Issues that are especially relevant for this project include:

crashes, hangs, or resource-exhaustion bugs triggered by untrusted input
unsafe handling of local files passed through the CLI
data exposure involving ~/.ciphey/config.toml, ~/.ciphey/database.sqlite, or model files under ~/.ciphey/models/
problems in the optional enhanced-detection setup flow, including token handling during model download
supply-chain issues in release artifacts or dependencies that materially affect users of ciphey

Current repository behavior that matters for security review:

ciphey stores cache and human-review data in a local SQLite database at ~/.ciphey/database.sqlite.
Configuration is stored locally at ~/.ciphey/config.toml.
The first-run enhanced-detection flow prompts for a Hugging Face token and states that the token is used for model download and not stored on disk.

If you report an issue, avoid sending real secrets or private datasets unless they are necessary to reproduce the problem.