If you discover a security vulnerability in VeriCite, please report it responsibly:

• Email: Send a description of the vulnerability to the project maintainer.
• Do not open a public GitHub issue for security vulnerabilities.

Please include:

1. A description of the vulnerability and its potential impact.
2. Steps to reproduce the issue.
3. Any relevant logs, error messages, or screenshots.
4. Your suggested fix (if available).

VeriCite is designed with the following security boundaries:

• Helper scripts do not use the network by default.
• verify_online.py requires explicit --allow-network to make outbound requests.
• No third-party network dependencies are used.

• Scripts do not modify original input files.
• Scripts do not read sensitive system directories.
• No personal data is collected or transmitted.
• API keys (such as NCBI_API_KEY) are read from environment variables only, never hardcoded.

• VeriCite never bypasses CAPTCHA, login walls, paywalls, or institutional access controls.
• Rate limits are respected by design.
• CNKI, Wanfang, VIP, and other restricted databases are only accessed through user-authorized channels.

• The --proxy flag in verify_online.py accepts a proxy URL. Users should ensure they trust the proxy before using it.
• The --contact-email flag is passed to Crossref and NCBI as a politeness parameter. Users should be aware that this email may appear in API logs.
• When running with --allow-network, DNS queries and HTTPS connections are made to public API endpoints. In restricted network environments, this may leak query topics to DNS resolvers or network observers.

This security policy applies to the VeriCite codebase, including all scripts in the scripts/ directory and the Skill instructions in SKILL.md. It does not cover the behavior of host Agent platforms that use VeriCite.