If you discover a security vulnerability in student-ops, do not open a public issue.

Report privately by:

• GitHub private vulnerability reporting: Security tab → Report a vulnerability
• Or email the maintainers (see GOVERNANCE.md for contact)

Expect an acknowledgment within 72 hours.

Student-ops handles highly sensitive student data:

• Financial information (income, aid need, loans)
• Academic records (GPA, test scores)
• Essays and personal narratives
• Medical / family circumstances (if shared)

1. Zero telemetry — nothing is sent to external servers by default.
2. Local-only — all data lives in the user's repo.
3. No user data in git — .gitignore excludes config/profile.yml, essays/, aid-letters/, output/, reports/ by default (student must opt in to commit).
4. API keys — stored in .env, never committed.
5. Portal credentials — never stored; re-authenticated per session via the user's browser.

• Check .gitignore before first commit
• Never paste profile.yml into public issues or discussions
• Redact aid letter screenshots in bug reports

Vulnerabilities in scope:

• Data leakage from user-layer files into system-layer commits
• Script execution with unsafe inputs (command injection, path traversal)
• Credential exposure in logs or error messages
• Dependencies with known CVEs

Out of scope:

• AI hallucinations (track in issues as bugs, not security)
• User misconfigurations that expose their own data (e.g., committing profile.yml intentionally)