Scopes is committed to providing a secure task management tool. As an AI-native, local-first application, we take security seriously while keeping things practical for individual developers.

We currently support only the latest release with security updates. As this is an active development project, we recommend always using the most recent version.

• Create a GitHub issue for non-sensitive security concerns
• Use the security label to help us prioritize

• Use GitHub Security Advisories for private reporting

When reporting a security issue, please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (if you have them)

1. Acknowledgment: We'll respond within 1 week
2. Investigation: We'll assess the issue and determine severity
3. Fix: We'll work on a fix and test it thoroughly
4. Release: We'll release the fix and notify reporters
5. Disclosure: Public disclosure after fix is available

Scopes includes several security measures:

• SLSA Level 3 Compliance: All releases include cryptographic provenance
• Automated Dependency Scanning: Via GitHub Dependabot and Dependency Review
• Dual-Level SBOM Generation:
  • Source-level SBOM (CycloneDX) from Gradle dependencies
  • Binary-level SBOM (CycloneDX) from compiled artifacts
• Comprehensive Vulnerability Scanning:
  • Grype vulnerability scanning with SARIF export
  • Results automatically uploaded to GitHub Security tab
  • Coverage of both dependency and binary-level vulnerabilities

For detailed usage instructions, see our security guides:

• Security Verification Guide
• Build Security Verification Guide
• Dependency Security Guide
• SBOM Verification Guide

• Local-First: AI interactions don't expose your private data by default
• Configurable Privacy: You control what data is shared with AI services
• Transparent Processing: Clear indication when AI features are active

• JAR Distribution: Self-contained JAR files with platform-specific wrapper scripts
• Multi-Layer Vulnerability Scanning:
  • Source dependencies scanned during build
  • Compiled JAR artifacts scanned with Grype
  • SARIF results integrated with GitHub Security
• Cross-Platform Consistency: Same security measures across all platforms
• Automated Security Reporting: Vulnerabilities visible in GitHub's Security tab
• Verifiable Builds: SHA256 checksums and SLSA provenance included in distribution bundles

Since Scopes is local-first:

• Your data stays local unless you explicitly choose to sync
• No telemetry is collected without your consent
• AI interactions are clearly marked and configurable

• Keep Scopes updated to the latest version
• Review AI integration settings for your privacy needs
• Verify downloaded JAR distributions using SHA256 checksums and SLSA provenance (see security guides)
• Use the automated verification in installer scripts when available
• Report any suspicious behavior immediately

• GitHub Issues: For general security questions
• Security Advisories: For sensitive vulnerability reports

We appreciate security researchers and users who help improve Scopes' security. Contributors to security improvements will be acknowledged in release notes (unless they prefer anonymity).

Note: This security policy reflects our commitment to building secure software while maintaining the simplicity expected in personal development tools. We balance comprehensive security with practical usability.