LC-0 VIC is an open-source host-side retrieval stack (CLI + optional HTTP bridge). This file describes how to report issues and what is in scope for the project maintainers.

Security fixes are triaged for the latest commit on the default branch and the most recent tagged release when one exists. Older tags are best-effort unless a critical issue affects many downstream users.

The package is pre-alpha (Development Status :: 2 - Pre-Alpha in pyproject.toml); treat deployments as bring-your-own-threat-model until you harden them.

Do not open a public GitHub issue for undisclosed vulnerabilities.

1. Preferred: GitHub Security Advisories for this repository (private report).
2. Email: security@arpacorp.net. Include component, steps or minimal repro, and severity if known.

If neither path works, use a draft issue with no exploit details and ask for a secure channel; general org contact remains in the README section.

We aim to acknowledge serious reports within 48 hours and follow up with a remediation timeline where appropriate.

Please include:

• Affected component (vic CLI, bridge, indexer, L2 parsers, etc.)
• Steps to reproduce or a minimal proof-of-concept
• Suggested severity (if known)

Out of scope for this repo: vulnerabilities in Ollama, the Python interpreter, Milvus / LanceDB upstream, or your OS / reverse proxy. Report those to their respective projects; we may still document mitigations in docs/THREAT_MODEL.md.

• Bind the bridge to loopback by default; expose only behind TLS and a trusted reverse proxy.
• Set VIC_BRIDGE_API_KEY when the bridge is reachable beyond localhost.
• Do not commit .env, API keys, or populated indexes under data/vector_db/.

We appreciate responsible disclosure. Embargoes are agreed on a case-by-case basis for valid reports affecting this codebase.