Logatory is a local-first log analysis tool. By default no log data leaves the machine it runs on, and personally identifiable information is redacted directly after parsing.

Logatory is pre-1.0 (0.x, beta). Security fixes are applied to the latest state of master.

Please do not report security vulnerabilities through public GitHub issues.

Instead, use GitHub's private vulnerability reporting:

1. Open the Security tab of the repository.
2. Click Report a vulnerability.
3. Include a description, steps to reproduce, and the affected version.

You will get an acknowledgement as soon as possible (best effort — Logatory is currently maintained by a single developer). Please allow reasonable time for a fix before any public disclosure.

Security-relevant areas include, but are not limited to:

• PII redaction bypasses — log data that should have been redacted reaching storage, the LLM layer, or API responses.
• REST API authentication bypasses.
• Path traversal or injection via log file paths, rule files, or plugins.
• Unexpected behaviour in the plugin loader.

Note that the plugin system executes Python files from the configured plugin directory by design — only point it at directories you trust. This is expected behaviour, not a vulnerability.