If you discover a security vulnerability in Jarvis, please report it responsibly:

Instead, please report security issues via one of these methods:

1. Email: Contact the repository maintainer directly
2. GitHub Security Advisory: Use GitHub's private vulnerability reporting feature
   • Go to the repository's "Security" tab
   • Click "Report a vulnerability"

Please include:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested fix (if you have one)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 7-14 days
  • High: 14-30 days
  • Medium: 30-60 days
  • Low: Best effort

Never commit secrets to git!

• ✅ Use template files (appsettings.json.template)
• ✅ Store secrets in environment variables
• ✅ Use Azure Key Vault for production
• ❌ Never commit appsettings.json or appsettings.Development.json
• ❌ Never share Bot App passwords or API keys

• ✅ Use Managed Identity for Azure resource access
• ✅ Rotate secrets every 90 days
• ✅ Enable Application Insights for monitoring
• ✅ Use NSG rules to restrict network access
• ✅ Enable SSL/TLS for all endpoints
• ✅ Review Azure Security Center recommendations

• ✅ Validate all incoming requests from Teams
• ✅ Use HTTPS for all webhook endpoints
• ✅ Implement rate limiting for API calls
• ✅ Log all interactions for audit purposes
• ✅ Don't process commands from unauthorized users

• ⚠️ Jarvis records all meeting audio and conversations
• ⚠️ All interactions are logged to Application Insights
• ⚠️ Be aware of data residency requirements
• ⚠️ Don't share sensitive information with Jarvis in meetings
• ⚠️ Comply with your organization's data retention policies

We only provide security updates for the latest version. Please keep your deployment up to date.

• Authentication: Azure AD integration via Bot Framework
• Authorization: Microsoft Graph API permissions
• Encryption: TLS 1.2+ for all communications
• Secrets: Azure Key Vault integration
• Monitoring: Application Insights security logging
• Network: NSG rules and private endpoints support

• GDPR considerations for EU data
• SOC 2 compliance (via Azure services)
• HIPAA support (configure Azure appropriately)
• Data residency (choose Azure region)

1. Jarvis hears everything in meetings - This is required for wake phrase detection
2. Conversations are logged - Required for AI training and debugging
3. API keys in memory - Required for service communication (use Key Vault)

• Use Azure Key Vault for production secrets
• Enable Application Insights sampling to reduce data volume
• Implement data retention policies
• Remove Jarvis from sensitive meetings

Security updates will be announced via:

• GitHub Security Advisories
• Repository releases
• README.md updates

Jarvis depends on:

• Microsoft Bot Framework
• Microsoft Graph API
• Azure OpenAI
• Azure Speech Services
• .NET 8.0 Runtime

Please review security advisories for these dependencies regularly.

For security concerns that don't require immediate attention, you may also:

• Open a GitHub Discussion (for general security questions)
• Check existing GitHub Issues (for known security items)

Thank you for helping keep Jarvis and its users safe!