We currently support the following versions with security updates:

Security updates are provided for the main branch. We recommend using the latest version from the main branch.

If you discover a security vulnerability in ChatCompanion, we appreciate your help in disclosing it responsibly.

You can report security vulnerabilities through one of the following channels:

1. GitHub Security Advisory: Use the "Report a vulnerability" button on the Security tab of this repository.

2. Email: Contact the project maintainer directly (contact information available in repository metadata).

When reporting a vulnerability, please include:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested fix (if you have one)

We will:

1. Acknowledge receipt of your report within a reasonable timeframe
2. Investigate the vulnerability
3. Work on a fix if the vulnerability is confirmed
4. Release a fix when ready
5. Credit you for the discovery (unless you prefer to remain anonymous)

Note: We are a small project with limited resources. While we take security seriously, we cannot guarantee specific response times or timelines. We will do our best to address security issues promptly and transparently.

This security policy applies to:

• The ChatCompanion application code
• Dependencies and their security implications
• Privacy and data handling concerns

The following are considered out of scope for security reporting:

• Issues in demo/test data
• Issues requiring physical access to the device
• Issues in third-party dependencies (please report to the respective maintainers)
• Social engineering attacks
• Denial of service attacks

ChatCompanion is designed with privacy and security in mind:

• Fully Offline: All processing happens locally; no data is uploaded
• No Telemetry: No tracking or analytics
• No Persistence: Chat text is not saved by default
• Open Source: Code is available for security review
• Automated Security Scanning: CodeQL analysis runs on push and pull requests (see .github/workflows/codeql-analysis.yml)
• Dependency Updates: Regular dependency updates recommended (check requirements.txt)

We encourage security researchers and users to review the code and report any concerns.

ChatCompanion is not a medical, psychological, or legal tool. It is a privacy-first assistant designed to help children and teenagers recognize risky chat patterns. It does not:

• Provide medical or psychological diagnosis or treatment
• Replace professional counseling or therapy
• Make legal claims or provide legal advice
• Guarantee perfect detection accuracy
• Replace trusted adult guidance or professional support

For more information about limitations and ethical considerations, see ETHICS.md.

We appreciate the security research community and will acknowledge security researchers who responsibly disclose vulnerabilities (with their permission).

This security policy is aligned with the project's ethical principles of transparency and honesty about capabilities and limitations.