We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do not open a public GitHub issue for security vulnerabilities
2. Use GitHub's private vulnerability reporting
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested fixes (optional)

• Acknowledgment: Within 48 hours of your report
• Initial Assessment: Within 5 business days
• Resolution Timeline: Depends on severity, typically:
  • Critical: 1-7 days
  • High: 7-14 days
  • Medium: 14-30 days
  • Low: Next release cycle

• We will work with you to understand and validate the issue
• We will keep you informed of our progress
• Once fixed, we will publicly acknowledge your contribution (unless you prefer to remain anonymous)

When using Dulcet:

• API Keys: Never commit API keys to version control. Use environment variables or .env files (which should be in .gitignore)
• Network: In production, run the WebSocket server behind a reverse proxy with TLS
• Audio Data: Audio is processed locally by default. Be aware that text is sent to your configured LLM provider

This security policy covers:

• The dulcet Python package
• The @dulcet/client TypeScript package
• Official example applications
• Documentation and configuration files

Third-party dependencies have their own security policies.