This is an automation tool that handles credentials, a personal profile, and an inbox connection. Take it seriously.

Do NOT open a public issue. Instead, open a private security advisory on GitHub:

https://github.com/drajb/Job-Application-Automation/security/advisories/new

Or, if you cannot use GitHub: open a regular issue titled "Security: contact request" with no detail, and you'll be contacted privately.

Please include:

• A description of the vulnerability.
• Steps to reproduce.
• The version (commit SHA).
• Suggested fix (optional).

Expected response time: within 7 days for acknowledgment, within 30 days for a fix or mitigation plan.

The threat model assumes:

• The apply-agent process is not hardened against a compromised host. If your dev box is rooted, your secrets are gone.
• The browser session is not isolated from your host network. Use a VPN if your home IP is something you don't want associated with applications.
• The validator catches blatant fabrication but cannot detect a tailored output that paraphrases incorrectly. That's why every submit goes through human approval.
• We do not protect against the user voluntarily uploading the wrong PDF.

If you're running this on a shared machine:

• chmod 600 secrets/master.age.key
• chmod 600 .env
• chmod 700 secrets/
• Set BACKUP_DEST to an encrypted volume, not a plain NTFS mount
• Use a dedicated email for job applications, not your main account
• Use a dedicated Telegram bot (one bot per agent instance), not a shared one
• Keep your RESUME_SOURCE_DIR out of any cloud-synced folder if you've put salary expectations or visa status in the resume body

We will never ask you to share your secrets/master.age.key, .env, or decrypted profile.yaml in an issue, PR, or chat. Anyone asking for these is impersonating the project.