Ocideck/SECURITY.md

# Security Policy

## Reporting a vulnerability

**Please do not report security vulnerabilities through public GitHub issues,
discussions, or pull requests.**

Instead, report them privately via GitHub's **"Report a vulnerability"** button
under the repository's **Security** tab (Security Advisories). If that is not
available to you, contact the maintainer directly and wait for a reply before
disclosing anything publicly.

When reporting, please include as much of the following as you can:

- A description of the issue and its impact.
- Steps to reproduce (a minimal deck or input file if relevant).
- The OciDeck version, operating system, and Flutter version.
- Any proof-of-concept, logs, or screenshots.

## What to expect

- **Acknowledgement** of your report as quickly as we reasonably can.
- An assessment and, where confirmed, a fix developed under coordinated
  (responsible) disclosure.
- Credit for the discovery if you wish — let us know how you would like to be
  named.

We ask that you give us a reasonable opportunity to address the issue before any
public disclosure, and that you avoid privacy violations, data destruction, or
service disruption while researching.

## Scope notes

OciDeck is an offline desktop application. Areas of particular interest:

- Parsing of untrusted decks (`.md`), packages (`.ocideck`), sidecars
  (`.ink.json`, captions), and linked CSV data.
- Importing presentations from a URL.
- The HTML export, which inlines third-party JavaScript (marked, highlight.js,
  mermaid, MathJax) to render offline.
- The export classification gate (`ClassificationPolicy`) — any way to export a
  deck classified above the configured release ceiling.

## Supported versions

Security fixes target the latest released version and the default development
branch. Older versions may not receive fixes.
Add project docs, EUPL licence, and open-source licence check Documentation & licensing: - Add the EUPL-1.2 licence (LICENSE.md) and set the project licence; refresh the README (name origin wink, updated feature list, documentation index). - Add CONTRIBUTING, SECURITY, CODE_OF_CONDUCT, CHANGELOG, AUTHORS, and THIRD_PARTY_NOTICES, plus docs/ (ARCHITECTURE, BUILD, USER_GUIDE, SHORTCUTS, LICENSE_COMPLIANCE) and .github/ (CI workflow, issue/PR templates). - Bring docs/FILE_FORMAT.md in line with current behaviour (code & chart slides, per-slide TLP comment, annotation .ink.json sidecar, chart data/ CSVs). Open-source compliance: - Add tool/check_licenses.dart and a `make licenses` target (wired into check-full and CI) that verifies every resolved dependency uses a recognised open-source licence. A scan of all 151 packages and bundled assets found only OSI-approved licences. Charts (Fase 1.1): - Replace the chart CSV textarea with an in-app editable data grid (editable series/labels/values, add/remove row & column, read-only when linked). - Centralize the linked-CSV directory name (`data/`) in a shared constant. Also normalize formatting repo-wide with `dart format` and fix one curly-braces lint, so `make check` and CI are green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-07 12:19:56 +02:00			`# Security Policy`

			`## Reporting a vulnerability`

			`**Please do not report security vulnerabilities through public GitHub issues,`
			`discussions, or pull requests.**`

			`Instead, report them privately via GitHub's "Report a vulnerability" button`
			`under the repository's Security tab (Security Advisories). If that is not`
			`available to you, contact the maintainer directly and wait for a reply before`
			`disclosing anything publicly.`

			`When reporting, please include as much of the following as you can:`

			`- A description of the issue and its impact.`
			`- Steps to reproduce (a minimal deck or input file if relevant).`
			`- The OciDeck version, operating system, and Flutter version.`
			`- Any proof-of-concept, logs, or screenshots.`

			`## What to expect`

			`- Acknowledgement of your report as quickly as we reasonably can.`
			`- An assessment and, where confirmed, a fix developed under coordinated`
			`(responsible) disclosure.`
			`- Credit for the discovery if you wish — let us know how you would like to be`
			`named.`

			`We ask that you give us a reasonable opportunity to address the issue before any`
			`public disclosure, and that you avoid privacy violations, data destruction, or`
			`service disruption while researching.`

			`## Scope notes`

			`OciDeck is an offline desktop application. Areas of particular interest:`

			- Parsing of untrusted decks (`.md`), packages (`.ocideck`), sidecars
			(`.ink.json`, captions), and linked CSV data.
			`- Importing presentations from a URL.`
			`- The HTML export, which inlines third-party JavaScript (marked, highlight.js,`
			`mermaid, MathJax) to render offline.`
Add fail-closed export classification gate (release ceiling) Enforce an optional TLP release ceiling at the single export chokepoint so no format (PDF/PPTX/HTML) can bypass it. Classifying a deck stays optional; the gate only blocks decks classified above the configured ceiling, and is off by default. - ClassificationPolicy + ExportDecision: pure, tested decision logic (release ceiling, fail-closed; null = no gate). - ExportService.export() evaluates the policy first and refuses without building or writing anything when blocked. - Persist the ceiling as maxReleaseExportTlpKey in app settings/prefs (default off) with a setter on SettingsNotifier. - Export dialog runs the same check up front and explains a blocked export before any work starts; app shell builds the policy from settings. - Tests: classification_policy_test plus export_service chokepoint tests asserting a blocked export fails and writes no file. - Docs: CHANGELOG, README, USER_GUIDE, ARCHITECTURE, SECURITY. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-12 00:26:29 +02:00			- The export classification gate (`ClassificationPolicy`) — any way to export a
			`deck classified above the configured release ceiling.`
Add project docs, EUPL licence, and open-source licence check Documentation & licensing: - Add the EUPL-1.2 licence (LICENSE.md) and set the project licence; refresh the README (name origin wink, updated feature list, documentation index). - Add CONTRIBUTING, SECURITY, CODE_OF_CONDUCT, CHANGELOG, AUTHORS, and THIRD_PARTY_NOTICES, plus docs/ (ARCHITECTURE, BUILD, USER_GUIDE, SHORTCUTS, LICENSE_COMPLIANCE) and .github/ (CI workflow, issue/PR templates). - Bring docs/FILE_FORMAT.md in line with current behaviour (code & chart slides, per-slide TLP comment, annotation .ink.json sidecar, chart data/ CSVs). Open-source compliance: - Add tool/check_licenses.dart and a `make licenses` target (wired into check-full and CI) that verifies every resolved dependency uses a recognised open-source licence. A scan of all 151 packages and bundled assets found only OSI-approved licences. Charts (Fase 1.1): - Replace the chart CSV textarea with an in-app editable data grid (editable series/labels/values, add/remove row & column, read-only when linked). - Centralize the linked-CSV directory name (`data/`) in a shared constant. Also normalize formatting repo-wide with `dart format` and fix one curly-braces lint, so `make check` and CI are green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-07 12:19:56 +02:00
			`## Supported versions`

			`Security fixes target the latest released version and the default development`
			`branch. Older versions may not receive fixes.`