| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability in CAJAL, please report it responsibly:
- Do NOT open a public issue
- Email: contact@p2pclaw.com
- Subject:
[SECURITY] CAJAL — Brief description - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Phase | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Fix + release | Within 30 days (critical), 90 days (non-critical) |
| Public disclosure | After fix is released + 30 days |
CAJAL runs entirely locally. No data leaves your machine unless you explicitly:
- Push to GitHub
- Upload to HuggingFace
- Share via email
If using CAJAL with external services (arXiv, CrossRef):
- Keys are stored in
~/.cajal/config.yaml - File permissions should be
600 - Never commit API keys to version control
Models are downloaded from HuggingFace/Ollama registries:
- Verify checksums when available
- Use trusted sources only
Security researchers who have responsibly disclosed vulnerabilities will be acknowledged in release notes and SECURITY.md.
Sponsor this project: github.com/sponsors/Agnuxo1