If you discover a security vulnerability in ContextLab, please report it by emailing security@contextlab.dev or by opening a private security advisory on GitHub.

Please do not open public issues for security vulnerabilities.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Fix & Disclosure: Coordinated with reporter

• Never commit API keys or secrets to the repository
• Use .env files (gitignored) for local development
• Use environment variables in production
• Rotate keys regularly

• We regularly update dependencies to patch security issues
• Dependabot alerts are monitored and addressed promptly
• Run pip audit before releases

• ContextLab processes text data locally by default
• API calls to OpenAI or other providers are user-initiated
• No telemetry or usage data is collected unless explicitly opted-in
• User data is never stored on external servers without consent

• The REST API includes rate limiting
• Authentication is token-based (disabled by default)
• CORS is configurable
• Input validation on all endpoints

• SQLite database is not encrypted by default
• API authentication is optional (disabled in development)
• Embedding providers may cache data according to their policies

For security concerns, contact: security@contextlab.dev