The Local CV-JD Evaluator is designed with privacy and security as core principles. This document outlines our security practices and how to report security concerns.

• No Data Transmission: All processing happens locally on your computer
• No External Dependencies: No API keys, cloud services, or external data processing
• Offline Capable: Works without internet connection after initial setup
• Single File: No installation or system modification required

• Input Sanitization: All user inputs are properly escaped and sanitized
• XSS Prevention: HTML content is escaped to prevent cross-site scripting
• No Code Execution: No eval() or similar dynamic code execution
• CSP Ready: Compatible with Content Security Policy headers
• HTTPS Compatible: Works over secure connections

We provide security updates for the following versions:

We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:

DO NOT create a public GitHub issue for security vulnerabilities.

Instead, please:

1. Email: Send details to [security@yourproject.com] (replace with your email)
2. Subject: Include "SECURITY" in the subject line
3. Details: Provide as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact assessment
   • Suggested fix (if you have one)

When reporting a security vulnerability, please include:

• Vulnerability Type: XSS, injection, data leak, etc.
• Affected Component: Which part of the application is affected
• Reproduction Steps: Clear steps to reproduce the issue
• Impact Assessment: How this could affect users
• Environment: Browser, OS, LM Studio version
• Proof of Concept: If applicable (please be responsible)

• Acknowledgment: Within 24 hours
• Initial Assessment: Within 72 hours
• Status Updates: Weekly until resolved
• Fix Release: Target within 30 days for critical issues

• Cross-site scripting (XSS) vulnerabilities
• HTML injection attacks
• Local file access vulnerabilities
• Input validation bypasses
• Authentication/authorization issues (if any)
• Data leakage or privacy violations
• Code injection vulnerabilities

• Issues requiring physical access to the device
• Social engineering attacks
• Denial of Service (DoS) attacks
• Issues in LM Studio itself (report to LM Studio team)
• Browser vulnerabilities (report to browser vendors)
• Issues requiring malicious LM Studio models

1. Download from Official Sources: Only download from GitHub releases
2. Verify File Integrity: Check SHA256 checksums when provided
3. Use HTTPS: Access over HTTPS when using a web server
4. Keep LM Studio Updated: Use the latest version of LM Studio
5. Trusted Models Only: Only use AI models from trusted sources
6. Regular Updates: Keep the application updated to latest version

1. Sensitive Information: Be cautious when analyzing sensitive documents
2. Local Storage: Clear browser data if using on shared computers
3. File Exports: Securely handle exported analysis files
4. Screen Sharing: Be aware when screen sharing during analysis

• Input Validation: All inputs are validated and sanitized
• Output Encoding: All outputs are properly encoded
• No eval(): No dynamic code execution
• CSP Headers: Compatible with strict Content Security Policies
• HTTPS Only: Designed to work over secure connections

• Minimal Dependencies: Only essential external resources
• CDN Security: External resources loaded from reputable CDNs
• Integrity Checks: Subresource integrity where possible
• Regular Audits: Dependencies reviewed for security issues

• No formal external audits conducted yet
• Community security reviews welcome

• Code reviewed for security issues before each release
• Regular dependency security scanning
• Input/output validation testing

For enhanced security, you can serve the application with CSP headers:

Content-Security-Policy: default-src 'self'; 
  script-src 'self' 'unsafe-inline' cdn.jsdelivr.net; 
  style-src 'self' 'unsafe-inline' fonts.googleapis.com cdnjs.cloudflare.com; 
  font-src fonts.gstatic.com cdnjs.cloudflare.com; 
  connect-src 'self' localhost:1234;
  img-src 'self' data:;

• Use modern browsers with latest security updates
• Enable JavaScript (required for functionality)
• Consider using private/incognito mode for sensitive analysis

1. Security fixes are prioritized above feature development
2. Critical fixes may result in immediate patch releases
3. All security updates are documented in the changelog
4. Users are notified through GitHub releases and notifications

• GitHub Security Advisories
• Release notes and changelog
• Repository notifications

We appreciate security researchers who:

• Give us reasonable time to fix issues before public disclosure
• Provide detailed, actionable reports
• Don't access or modify user data during testing
• Don't perform DoS attacks or spam

Security researchers who responsibly disclose vulnerabilities may be:

• Acknowledged in our security hall of fame
• Mentioned in release notes (with permission)
• Eligible for our appreciation (no monetary rewards currently)

• Security Issues: [security@yourproject.com] (replace with your email)
• General Issues: GitHub Issues
• Project Maintainers: GitHub Team Page

• OWASP Top 10
• Web Security Guidelines
• LM Studio Security

We thank the security community for helping keep this project safe:

• [Security Researcher Name] - [Vulnerability Type] - [Date]
• (Future acknowledgments will be listed here)

This security policy was last updated on November 26, 2025.

Remember: When in doubt about security, err on the side of caution and report it!