Security Policy

Reporting Security Vulnerabilities

We take security seriously in Local Deep Research. If you discover a security vulnerability, please follow these steps:

🔒 Private Disclosure

Please DO NOT open a public issue. Instead, report vulnerabilities privately through one of these methods:

GitHub Security Advisories (Preferred):
- Click the link above or go to Security tab → Report a vulnerability
- This creates a private discussion with maintainers
Email:
- Send details to the maintainers listed in CODEOWNERS
- Use "SECURITY:" prefix in subject line

What to Include

Description of the vulnerability
Steps to reproduce
Potential impact
Any suggested fixes (optional)

Our Commitment

We'll acknowledge receipt within 48 hours
We'll provide an assessment within 1 week
We'll work on a fix prioritizing based on severity
We'll credit you in the fix (unless you prefer anonymity)

Vulnerability Disclosure Timeline

We follow a coordinated disclosure process with best-effort target timelines:

Severity	Target Fix Time	Public Disclosure
Critical	30 days	After fix released
High	45 days	After fix released
Medium	60 days	After fix released
Low	90 days	After fix released

Note: This is a community-maintained project. Actual fix times may vary depending on complexity and maintainer availability. We do our best to address security issues promptly.

Coordination: We work with reporters to coordinate disclosure timing
Credit: Reporters are credited in release notes and security advisories (unless anonymity requested)
CVE Assignment: For significant vulnerabilities, we will request CVE assignment through GitHub Security Advisories

Security Considerations

This project processes user queries and search results. Key areas:

No sensitive data in commits - We use strict whitelisting
API key handling - Always use environment variables
Search data - Queries are processed locally when possible
Dependencies - Regularly updated via automated scanning

Supported Versions

Security fixes are only provided for the latest release. Please upgrade to receive patches.

Security Scanning & CI/CD

We maintain comprehensive automated security scanning across the entire development lifecycle:

Static Application Security Testing (SAST)

Tool	Purpose	Frequency
CodeQL	Semantic code analysis for vulnerabilities	Every PR & push
Semgrep	Pattern-based security scanning	Every PR & push
Bandit	Python-specific security linting	Every PR & push
DevSkim	Security-focused linter	Every PR & push

Dependency & Supply Chain Security

Tool	Purpose	Frequency
OSV-Scanner	Open Source Vulnerability database	Every PR & push
npm audit	JavaScript dependency vulnerabilities	Every PR & push
RetireJS	Known vulnerable JS libraries	Every PR & push
SBOM Generation	Software Bill of Materials (Syft)	Weekly & releases
License Scanning	License compliance checking	Every PR

Container Security

Tool	Purpose	Frequency
Trivy	Container vulnerability scanning	Every PR & push
Hadolint	Dockerfile best practices	Every PR & push
Dockle	Container image security linting	Weekly
Image Pinning	Verify all images use SHA digests	Every PR

Infrastructure & Configuration

Tool	Purpose	Frequency
Checkov	Infrastructure-as-Code security	Every PR & push
Zizmor	GitHub Actions security	Every PR & push
OSSF Scorecard	Supply chain security metrics	Periodic

Dynamic Application Security Testing (DAST)

Tool	Purpose	Frequency
OWASP ZAP	Web application security scanning	Every PR & push
Security Headers	HTTP security header validation	Every PR & push

Secrets Detection

Tool	Purpose	Frequency
Gitleaks	Secret detection in commits	Every PR & push
File Whitelist	Prevent sensitive files in commits	Every PR & push

Release Security

Feature	Description
Cosign Signing	All Docker images are cryptographically signed
SLSA Provenance	Build attestations for supply chain verification
SBOM Attachments	SBOMs attached to container images and releases
Keyless Signing	Uses GitHub OIDC for Sigstore keyless signing

Security Best Practices

All workflows follow security best practices:

Pinned Actions: All GitHub Actions pinned to SHA hashes
Minimal Permissions: Least-privilege permission model
Runner Hardening: step-security/harden-runner on all workflows
No Credential Persistence: persist-credentials: false on checkouts
Egress Auditing: Network egress monitoring enabled

OpenSSF Scorecard

We maintain a high OpenSSF Scorecard rating, measuring:

Branch protection
Dependency updates
Security policy
Signed releases
CI/CD security

Thank you for helping keep Local Deep Research secure!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Policy

Reporting Security Vulnerabilities

🔒 Private Disclosure

What to Include

Our Commitment

Vulnerability Disclosure Timeline

Security Considerations

Supported Versions

Security Scanning & CI/CD

Static Application Security Testing (SAST)

Dependency & Supply Chain Security

Container Security

Infrastructure & Configuration

Dynamic Application Security Testing (DAST)

Secrets Detection

Release Security

Security Best Practices

OpenSSF Scorecard

FilesExpand file tree

SECURITY.md

Latest commit

History

SECURITY.md

File metadata and controls

Security Policy

Reporting Security Vulnerabilities

🔒 Private Disclosure

What to Include

Our Commitment

Vulnerability Disclosure Timeline

Security Considerations

Supported Versions

Security Scanning & CI/CD

Static Application Security Testing (SAST)

Dependency & Supply Chain Security

Container Security

Infrastructure & Configuration

Dynamic Application Security Testing (DAST)

Secrets Detection

Release Security

Security Best Practices

OpenSSF Scorecard