| Version | Security updates |
|---|---|
| 1.0.6 | Supported |
| 1.0.5 | Security fixes only |
| 1.0.4 | Unsupported |
| 1.0.3 and earlier | Upgrade required |
Use GitHub private vulnerability reporting when it is available. Do not publish credentials, license keys, private target URLs, recipient datasets, screenshots containing personal data, or a working exploit in a public issue.
Include:
- affected version and commit;
- operating system and Python/build mode;
- reproducible steps using synthetic data;
- expected and observed behavior;
- security impact;
- a minimal patch or mitigation when available.
- The application is for authorized Test Mode workflows only.
- Browser authentication is performed manually; the app does not request or persist dashboard credentials.
- Security challenges are paused for manual completion and are never bypassed.
- The local license cache uses Windows current-user DPAPI in production builds.
- The configured production license URL must use HTTPS.
- Runtime logs and reports can contain user-supplied email addresses and should be protected accordingly.
Operators must use a writable, access-controlled application folder, protect exported reports, restrict recipient files to authorized test records, and validate the license endpoint certificate and ownership.