Italian version: SECURITY.it.md.
| Version | Supported |
|---|---|
| latest | Yes |
| < latest | No — please upgrade |
If you discover a security vulnerability in Spendif.ai, please do not open a public issue.
Instead, report it privately:
- GitHub Security Advisories (preferred): go to the Security tab and click "Report a vulnerability"
- Email: send details to the repository owner via the email listed on the GitHub profile
- Description of the vulnerability
- Steps to reproduce
- Affected version(s)
- Potential impact
- Suggested fix (if any)
| Step | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Patch release | Within 30 days (critical: within 7 days) |
| Public disclosure | After patch is released |
The following are in scope:
- Application code in
core/,services/,ui/,db/,api/ - GitHub Actions workflows (
.github/workflows/) - Configuration, secret handling, and the PII-redaction layer applied before remote LLM calls
The following are out of scope:
- Vulnerabilities in upstream dependencies (report to the respective project; we will track via Dependabot / pip-audit)
- Social engineering attacks
- Denial of service attacks
Spendif.ai employs the following security practices:
- Static analysis — Bandit and forbidden-pattern guards run on every PR (CI workflow
security.yml) - CodeQL — semantic analysis with the
security-and-qualityquery suite (planned, tracked in backlog) - Input validation — Pydantic v2 schemas at API boundaries; explicit field-level checks in the service layer
- No dangerous functions —
eval(),exec(),subprocess shell=True,pickle.load(),yaml.load()withoutSafeLoaderare forbidden and CI-blocked - Ruff linting — enforced in CI with the bandit-style security rules (
S) enabled - Dependency management —
uv.lockprovides reproducible installs;pip-auditflags known CVEs - PII redaction — IBAN, card number, fiscal code and account-holder name are automatically replaced with placeholders before any remote LLM call. The service layer rejects unsanitised input. See
core/pii_redactor.pyand the privacy section of the landing page for the full list of handled identifiers - Local-first AI — the default LLM backend (
local_llama_cpp) keeps all data on the user's machine; remote backends are opt-in - Prompt integrity — prompt files have SHA-256 hashes verified at startup so unauthorised modifications are detected (planned, tracked in backlog)
We appreciate responsible disclosure. Security researchers who report valid vulnerabilities will be credited in the release notes (unless they prefer anonymity).