We currently provide security updates for the following versions:

If you discover a security vulnerability in GrillKit, please report it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Use private vulnerability reporting on GitHub:

1. Open this repository on GitHub.
2. Go to Security → Advisories.
3. Click Report a vulnerability.

Include the following information:

• Description of the vulnerability
• Steps to reproduce (if applicable)
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours of receiving your report
• Investigation: We will investigate and validate the issue
• Timeline: We aim to provide updates every 5-7 days
• Fix: Once fixed, we will release a security patch
• Credit: You will be credited (if desired) in the security advisory

1. API Keys: Never commit API keys to version control. Use data/config.json (which is gitignored)
2. Local Deployment: This tool is designed for local/self-hosted use
3. Regular Updates: Keep dependencies updated: uv sync --upgrade
4. Docker: Use provided Docker setup for isolation

• AI provider API keys are stored locally in data/config.json
• Interview data is stored locally in SQLite
• No authentication system (designed for single-user local use)
• WebSocket connections are unencrypted over HTTP (use HTTPS in production with reverse proxy)