# Security Policy
## Supported Versions
Currently, only the latest version receives security updates:
| 0.1.x | :white_check_mark: |
## Reporting a Vulnerability
**Please do not report security vulnerabilities through public GitHub issues.**
If you discover a security vulnerability in Dynamic Grounding for GitHub Copilot, please report it privately:
### How to Report
1. **Email**: Send details to **ciresnave@gmail.com** with:
- Subject line: `[SECURITY] Dynamic Grounding Vulnerability`
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
2. **Expected Response Time**:
- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix timeline: Depends on severity
### What to Include
- **Type of vulnerability** (e.g., API key exposure, injection attack, etc.)
- **Affected version(s)**
- **Step-by-step reproduction instructions**
- **Proof of concept** (if applicable)
- **Impact assessment** (who/what is affected)
- **Your contact information** for follow-up questions
### Security Update Process
1. **Acknowledgment**: We'll confirm receipt of your report
2. **Investigation**: We'll investigate and validate the issue
3. **Fix Development**: We'll develop and test a fix
4. **Disclosure**: We'll:
- Release a security update
- Publish a security advisory
- Credit you (if desired) in the CHANGELOG
### Disclosure Policy
- **Please do not** publicly disclose the vulnerability until we've released a fix
- We aim to fix critical vulnerabilities within **30 days**
- We'll coordinate with you on the disclosure timeline
- You'll be credited in the security advisory (unless you prefer to remain anonymous)
## Security Best Practices for Users
### API Key Security
1. **Never commit API keys** to version control
2. **Use environment variables** or VS Code Secret Storage
3. **Rotate keys regularly** at [Google AI Studio](https://aistudio.google.com/app/apikey)
4. **Monitor usage** for unexpected activity
5. **Use separate keys** for development and production
### VS Code Extension Security
1. **Keep the extension updated** to get latest security patches
2. **Review permissions** requested by the extension
3. **Use Secret Storage** instead of plaintext configuration
4. **Enable Settings Sync encryption** if using cloud sync
5. **Verify binary signatures** (when available)
### MCP Server Security
1. **Run with least privilege** - Don't run as administrator/root
2. **Monitor logs** for suspicious activity in Output panel
3. **Limit network access** if using restrictive firewall
4. **Keep Rust toolchain updated** for security patches
5. **Verify checksums** of downloaded binaries
## Known Security Considerations
### API Key Storage
- **VS Code Secret Storage**: Keys are encrypted using OS-level credential management
- Windows: Credential Manager
- macOS: Keychain
- Linux: Secret Service API / Keyring
- **MCP Configuration**: Keys in `mcp.json` are stored as plaintext environment variables
- Only visible to the MCP server process
- Not synced via Settings Sync
- Cleared when extension is uninstalled
### Data Transmission
- All API requests to Google Gemini use **HTTPS** encryption
- Code content is sent to Google only when using MCP tools
- No analytics or telemetry collected by this extension
- Quota tracking is client-side only
### Dependencies
We regularly audit dependencies for known vulnerabilities:
- Rust: `cargo audit`
- Node.js: `npm audit`
- Automated: GitHub Dependabot
## Security Features
- **SecureString Type**: Zeros API keys from memory on drop
- **No Logging**: API keys never appear in logs or debug output
- **Input Validation**: API keys validated before storage
- **Secure Defaults**: Auto-start with encrypted storage
- **Quota Tracking**: Client-side only, no external reporting
## Responsible Disclosure Program
We believe in coordinated vulnerability disclosure and will:
1. Work with you to understand the issue
2. Develop a fix as quickly as possible
3. Give you credit (if desired)
4. Release security advisories promptly
Thank you for helping keep Dynamic Grounding secure! 🔒