We release patches for security vulnerabilities in the following versions:

We take security seriously. If you discover a security vulnerability, please follow these steps:

Security vulnerabilities should not be reported through public GitHub issues.

Send an email to the project maintainers with:

• Subject: "Security Vulnerability in Release Notes Generator"
• Description: Detailed description of the vulnerability
• Steps to reproduce: How to reproduce the issue
• Impact: What could an attacker accomplish?
• Suggested fix: If you have ideas for how to fix it

• Acknowledgment: We'll acknowledge receipt of your report within 48 hours
• Investigation: We'll investigate and respond within 5 business days
• Updates: We'll keep you informed of our progress
• Resolution: We'll work to release a fix as quickly as possible

• Never commit config.yaml - it may contain sensitive paths or information
• Use config.yaml.sample as a template and customize for your environment
• Review file paths in configuration to ensure they don't expose sensitive directories

• Local usage recommended - The tool is designed for local LM Studio instances
• Network exposure - If exposing LM Studio API over network, use appropriate security measures
• API keys - If using remote APIs, ensure proper key management

• Repository permissions - Ensure the tool only accesses repositories it should
• Authentication - Use appropriate git authentication methods for private repositories
• Sensitive data - Be aware of what data is being collected from git logs

• Review output - Generated release notes may contain information from commit messages
• Sensitive information - Ensure git commit messages don't contain secrets or sensitive data
• Access control - Control access to generated release notes appropriately

1. Run locally when possible
2. Review configurations before use
3. Validate output before publishing release notes
4. Use version control for configuration files (excluding config.yaml)

1. Input validation - Validate all user inputs
2. Path sanitization - Sanitize file paths to prevent directory traversal
3. Error handling - Don't expose sensitive information in error messages
4. Dependencies - Keep dependencies updated and monitor for vulnerabilities

1. Day 0: Vulnerability reported
2. Day 1-2: Acknowledgment sent
3. Day 1-5: Initial investigation and impact assessment
4. Day 5-30: Develop and test fix
5. Day 30: Release security update
6. Day 30+: Public disclosure (if appropriate)

We aim to resolve critical vulnerabilities within 30 days of disclosure.

Security updates will be:

• Released promptly for critical vulnerabilities
• Documented in release notes with appropriate detail
• Announced through GitHub releases and security advisories

For security-related concerns that are not vulnerabilities (questions about security practices, etc.), you can open a regular GitHub issue or discussion.

Thank you for helping keep Release Notes Generator secure! 🔒