| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
StratoSort implements comprehensive security measures to protect your data and privacy:
- Local-first processing: All AI analysis happens locally using Ollama - no data leaves your machine
- File system isolation: Limited access to specific user directories only (Documents, Pictures, Desktop, Videos, Music)
- Restricted permissions: Explicit deny rules for sensitive directories (.ssh, .gnupg, .config, hidden files)
- Content Security Policy (CSP): Strict CSP rules prevent XSS and code injection attacks
- Input validation: All user inputs and file paths are validated and sanitized
- Secure communication: All Tauri IPC communications use type-safe interfaces
- Memory safety: Rust backend provides memory safety guarantees
- Signing keys: Application binaries are signed with secure keys (not stored in repository)
- Dependency scanning: Regular security audits of dependencies
- Test coverage: Comprehensive security test suite including:
- XSS prevention testing
- Input validation testing
- File system access testing
- Event system security testing
- Rate limiting testing
We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
- DO NOT open a public GitHub issue for security vulnerabilities
- Send a detailed report to: security@stratosort.com (or create a private security advisory)
- Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (if you have them)
- Initial response: Within 48 hours
- Assessment: Within 5 business days
- Fix timeline: Critical issues within 7 days, others within 30 days
- Disclosure: Coordinated disclosure after fix is released
- Acknowledgment: We'll confirm receipt of your report
- Investigation: Our team will investigate and validate the issue
- Fix development: We'll develop and test a fix
- Release: Security fixes are released as soon as possible
- Credit: We'll acknowledge your contribution (if desired)
In scope:
- StratoSort desktop application
- File processing and analysis features
- AI integration components
- Configuration and settings management
Out of scope:
- Third-party dependencies (report to upstream)
- Operating system vulnerabilities
- Network infrastructure
- Social engineering attacks
To keep your StratoSort installation secure:
- Keep updated: Always use the latest version
- Verify signatures: Check that downloaded binaries are properly signed
- Review permissions: Monitor which directories StratoSort can access
- Local processing: Ensure AI processing stays local (check Ollama configuration)
- Regular backups: Keep backups of your organized files
Our security testing includes:
- Static analysis: Code scanning for vulnerabilities
- Dynamic testing: Runtime security testing
- Penetration testing: Regular security assessments
- Dependency audits: Ongoing vulnerability monitoring
- Fuzzing: Input validation testing
For general security questions or concerns:
- Email: security@stratosort.com
- Security advisories: GitHub Security tab
- General questions: GitHub Discussions
Note: This security policy applies to StratoSort v0.1.x and will be updated as the project evolves.