If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Use GitHub Security Advisories to report privately
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: within 48 hours
- Initial assessment: within 1 week
- Fix or mitigation: depends on severity
| Version | Supported |
|---|---|
| Latest | Yes |
| < Latest | Best effort |
This policy covers the DocForge codebase. Third-party dependencies are out of scope but will be reported upstream if discovered.
DocForge is a local-first desktop application. All project data and uploaded documents are stored on your machine. The only outbound network requests are to the AI provider API you configure (OpenAI, DeepSeek, Claude, or your local Ollama instance). No data is sent to DocForge servers.