| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous releases | Best effort |
We take security seriously. If you discover a security vulnerability in ContextCypher, please report it responsibly.
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Provide details about the vulnerability
Send details to security@threatvectorsecurity.com
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Assessment: We will evaluate severity and impact within 1 week
- Fix Timeline: Based on severity:
- Critical: Patch within 72 hours
- High: Patch within 1 week
- Medium: Patch within 2 weeks
- Low: Included in next release
- Open public GitHub issues for security vulnerabilities
- Exploit vulnerabilities beyond what is needed to demonstrate the issue
- Access or modify other users' data
ContextCypher is designed with these security principles:
- Offline-first: Data stays local by default. No cloud dependency required.
- Local API keys: AI provider keys are stored locally and never transmitted to our servers.
- CORS restricted: In standalone mode, CORS is restricted to localhost origins.
- Rate limiting: All API endpoints are rate-limited.
- Input sanitization: All diagram data is sanitized before AI processing.
- No telemetry: The open-source version contains no analytics or telemetry.
- Zero trust: No implicit trust between components. All inputs validated.
We monitor dependencies for known vulnerabilities. If you notice a vulnerable dependency, please report it through the channels above or open a standard GitHub issue.