We take security seriously and appreciate efforts to report potential vulnerabilities. This document outlines support guidelines and submission procedures.
Only the latest release is actively supported with security patches:
| Version | Supported |
|---|---|
| v1.3.x | Active |
| < v1.2.x | End-of-life |
Please do not open GitHub issues for security vulnerabilities.
Instead, report them privately using the following process:
- Email a detailed vulnerability report to support@hrlytics.ai.
- Include the following details to help us investigate:
- Description of the vulnerability type.
- Steps to reproduce the issue.
- Code snippets or proof-of-concept indicators.
- Potential mitigation recommendations.
We will acknowledge receipt within 48 hours and coordinate a public release timeline for the security patch once fixed.
- Gemini API Keys: Never commit your
GEMINI_API_KEYto the repository. Always specify the key in your local, git-ignoredbackend/.envfile. - Database Credentials: Keep your SQLite database file (
hrlytics.db) git-ignored to prevent check-ins of actual user attributes or corporate meeting logs.