Security fixes target the latest released version in CHANGELOG.md.

Do not open public issues with production Active Directory data, report exports, SIDs, distinguished names, or credentials.

For private deployments, report vulnerabilities through your internal security process. If this repository is published publicly, configure GitHub private vulnerability reporting before accepting external reports.

Generated reports can contain sensitive identity and privilege information. Keep data\, reports\, and generated dashboard JSON files out of source control.

Treat the following as sensitive by default:

• data\snapshot-*.json
• reports\audit-*
• reports\latest-dashboard.json
• dashboard\dashboard-data.js
• dashboard\latest-dashboard.json
• dashboard\timeline-data.js
• dashboard\timeline-comparison.json
• config\ApprovedExceptions.json
• remediation scripts generated by New-ADPostureRemediationScript
• screenshots, GIFs, PDFs, and meeting exports created from real audit data

Recommended handling:

• Store audit artifacts on encrypted disks or restricted shares.
• Limit access to identity/security operations staff with a need to know.
• Do not email raw exports or paste findings into tickets without redaction.
• Run .\scripts\Test-GitHubReadiness.ps1 before publishing or opening a pull request.
• Prefer synthetic data for demos, README screenshots, and public issues.
• Rotate or delete stale reports after the retention period required by your governance process.
• Use the generated remediation script with -WhatIf and approved change control before any production change.

The tool is designed for local/offline review. Dashboard pages include a restrictive Content Security Policy and visible sensitivity banners, but the generated JSON/JS files still contain the sensitive data. Browser controls do not replace file-system access control.

User-controlled values used in generated remediation scripts are quoted and converted into AD filter literals at runtime. Keep reviewing generated scripts before execution, especially when account or group names contain unusual characters.