We take security seriously. If you discover a security vulnerability in grepai, please report it responsibly.

1. Do NOT open a public issue for security vulnerabilities
2. Email your findings to: yoan.bernabeu@gmail.com
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Resolution Timeline: Depends on severity, typically 30-90 days

We consider security research conducted in accordance with this policy to be:

• Authorized concerning any applicable anti-hacking laws
• Exempt from restrictions in our Terms of Service that would interfere with conducting security research

We will not pursue civil or criminal action against researchers who:

• Make a good faith effort to avoid privacy violations and disruption
• Do not exploit vulnerabilities beyond what is necessary to confirm them
• Report vulnerabilities promptly

• Never commit API keys to version control
• Use environment variables for sensitive configuration
• Rotate API keys regularly

• The .grepai/ directory should not be shared
• Add .grepai/ to your .gitignore
• Review config.yaml before sharing configurations

• When using Ollama: runs locally, no data leaves your machine
• When using OpenAI: code content is sent to OpenAI's API
• PostgreSQL connections should use SSL in production

1. Embedding Content: Code content is sent to embedding providers

   • Use Ollama for sensitive codebases
   • Review OpenAI's data usage policies before using

2. Index Files: The .grepai/index.gob contains embeddings of your code

   • Do not share index files
   • Index files are excluded from git by default

3. PostgreSQL Backend: When using shared databases

   • Use strong passwords
   • Enable SSL
   • Implement proper access controls