I am committed to the security and privacy of the users of this library. As a library that processes documents containing potentially sensitive information, I treat all vulnerability reports with the highest priority.

Maintenance and security patches are currently provided for the latest major branch.

Please do not open public issues for security vulnerabilities.

Publicly disclosing a vulnerability before a fix is available creates an immediate window for attackers to exploit the issue against the millions of users currently running this library. Private reporting allows us to develop, test, and release a patch before the technical details are shared, ensuring that the community remains protected.

To facilitate a safe disclosure, please use our private GitHub reporting channel:

1. Navigate to the Security tab of this repository.
2. Select Advisories from the left-hand navigation.
3. Click the Report a vulnerability button.
   • Note: This creates a secure, private thread between you and the maintainer to collaborate on a fix.

Upon receiving a valid report, I will:

• Acknowledge receipt within 48 hours.
• Perform a thorough triage and impact assessment within 5 business days.
• Work with the reporter to validate and test the fix.
• Credit the researcher in the release notes (optional, at your discretion).

I ask that you follow coordinated disclosure practices and allow a reasonable window to release a patch before sharing technical details publicly.

• Third-Party Dependencies: Vulnerabilities in upstream libraries (e.g., tesseract.js, pdfjs-dist, fflate) should be reported directly to their respective maintainers.
• Semantic Chunking & External APIs: When using Semantic Strategy for chunking, you provide an embed function. If this function sends data to external LLM providers (like OpenAI or Anthropic), the security and privacy of that data transfer are governed by your implementation and the provider's terms. officeParser itself does not transmit document data to external servers by default.