If you discover a security vulnerability in Revenue-Sprint, please report it responsibly.

Email: chunkytortoise@proton.me

Include the following in your report:

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Suggested fix (if any)

1. Acknowledgment -- You will receive an initial response within 48 hours confirming receipt
2. Assessment -- We will evaluate the severity and impact within 5 business days
3. Fix Development -- A patch will be developed according to the severity timeline above
4. Disclosure -- We will coordinate public disclosure with you after the fix is released

The following are in scope:

• API key exposure or leakage vectors
• Prompt injection that bypasses detection patterns
• SQLite injection or data exfiltration
• Unauthorized access to proposal data or credentials
• Denial of service through resource exhaustion

The following are out of scope:

• Vulnerabilities in upstream LLM provider APIs
• Social engineering attacks
• Issues requiring physical access

We appreciate security researchers who help keep Revenue-Sprint secure. With your permission, we will acknowledge your contribution in the release notes.

• Never commit API keys -- Use .env files and ensure .env is in .gitignore
• Use demo mode for testing -- Run --demo flag to avoid sending real API requests
• Review generated proposals -- AI-generated content should be reviewed before sending to clients
• Pin dependencies -- Use a lockfile to prevent supply chain attacks