We take the security of TrustEval seriously. If you discover a security vulnerability, please report it responsibly.

1. DO NOT open a public GitHub issue for security vulnerabilities
2. Email your findings to antrixsh@gmail.com
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours of report
• Initial Assessment: Within 5 business days
• Fix & Release: Depending on severity, typically within 14 days for critical issues

• We will acknowledge receipt of your report
• We will investigate and validate the issue
• We will work on a fix and coordinate disclosure
• We will credit you in the security advisory (unless you prefer anonymity)

• Never commit API keys to version control
• Use environment variables or TrustEval's encrypted KeyManager
• Rotate API keys regularly
• Use the mask_key() function when logging

• Always set TRUSTEVAL_DASHBOARD_KEY in production
• Never expose the dashboard on public networks without authentication
• Configure TRUSTEVAL_ALLOWED_ORIGINS for CORS

• Set TRUSTEVAL_STORE_PROMPTS=false (default) unless you need prompt storage
• Review audit logs regularly at ~/.trusteval/audit.log
• Encrypted data is stored using Fernet symmetric encryption

We regularly scan dependencies for known vulnerabilities using:

• bandit for Python code security analysis
• safety for dependency vulnerability checking
• GitHub Dependabot for automated dependency updates