If you discover a security vulnerability in COVENANT.DATA, please report it privately.

Do not open a public issue.

Send email to: security@covenant.data

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if known)

We will acknowledge receipt within 48 hours and provide a response within 7 days.

• Users will be notified of security issues
• Fixed versions will be released promptly
• Credit will be given to reporters
• Details will be published after fix is available

Security updates are provided for:

• Latest minor version (0.1.x)

COVENANT.DATA assumes:

1. Insider misuse is possible
2. Accidental export of sensitive fields
3. Stolen laptops/devices
4. Hostile plugins or connectors
5. Malicious data attempting to break parsers

1. Deny by default
2. Explicit purpose required for access
3. Strong separation between raw and exported data
4. Encryption support for bundles and local stores
5. Strict input validation for every parser
6. Safe defaults that block common failure modes

See docs/THREAT_MODEL.md for detailed threat modeling.