# Security Policy
## Reporting a Vulnerability
If you discover a security vulnerability, please report it privately:
- **Email:** lokiq0713@gmail.com
- **Response time:** within 72 hours
Please do not open a public issue for security vulnerabilities.
## Scope
This is a local CLI tool that analyzes Claude Code session data. Security considerations include:
- **CLI tool** — runs locally on your machine
- **npm postinstall** — downloads the correct pre-built binary for your platform during `npm install`
## Network Activity
**None** — this tool makes no network requests. All data is read and processed locally.
## File System Access
- **Reads** `~/.claude/projects/` — JSONL session files generated by Claude Code
- **Reads** `~/.config/cc-token-usage/config.toml` — optional user configuration for pricing overrides
- **Writes** HTML reports to `/tmp/` — temporary dashboard files opened in the browser
No other files or directories are accessed.
## Data Collection
**None.** This tool collects no telemetry, sends no analytics, and phones home to no server. Everything stays on your machine.