Investment Assistant is currently in pre-1.0 development. Only the latest released minor version receives security updates.

Note: This policy will be updated as the project matures toward a stable 1.0 release.

Please do NOT report security vulnerabilities through public issues, pull requests, or discussions.

Instead, report them privately using GitHub Security Advisories.

To help us triage and resolve the issue quickly, please include:

• Description of the vulnerability and its potential impact
• Affected component (backend API, frontend, Docker configuration, dependencies, etc.)
• Steps to reproduce or a proof-of-concept (if possible)
• Affected version(s) of Investment Assistant
• Any suggested mitigation or fix (optional)

We will keep you informed of progress throughout the process.

• Investment Assistant codebase (backend and frontend)
• Docker and nginx configuration shipped with the project
• CI/CD pipeline configuration

Please report vulnerabilities in third-party dependencies directly to their maintainers:

If a vulnerability in a third-party dependency affects Investment Assistant specifically (e.g., an insecure default configuration we ship), that is in scope.

• We follow coordinated disclosure: we will work with you to understand and address the issue before any public disclosure.
• Credit will be given to the reporter in the release notes (unless you prefer to remain anonymous).
• We aim to release a fix before or simultaneously with public disclosure.

We consider security research conducted in good faith to be authorized and will not pursue legal action against researchers who:

• Act in good faith to avoid privacy violations, destruction of data, and disruption of services
• Only interact with accounts they own or with explicit permission of the account holder
• Report vulnerabilities through the process described above
• Do not exploit a vulnerability beyond what is necessary to demonstrate the issue