We release patches for security vulnerabilities for the following versions:

We take the security of Smart Receipt Assistant seriously. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them by:

1. Email: Send details to the project maintainers via GitHub
2. GitHub Security: Use the Security Advisories feature

Please include the following information in your report:

• Type of vulnerability (e.g., buffer overflow, SQL injection, cross-site scripting)
• Full paths of source file(s) related to the vulnerability
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution: Depends on severity, typically within 30 days

• We will confirm the vulnerability and determine its impact
• We will release a fix as soon as possible
• We will publicly disclose the issue after the fix is released
• We will credit the reporter (unless they prefer to remain anonymous)

When using Smart Receipt Assistant:

• Never commit API keys to version control
• Use environment variables via .env file
• Add .env to .gitignore
• Rotate keys if they may have been exposed

• The application processes uploaded files (images, PDFs)
• Validate file types and sizes before processing
• Be cautious with files from untrusted sources

• Receipt data may contain sensitive financial information
• Ensure proper handling and storage of processed data
• Follow your organization's data protection policies

This project includes:

• Environment variable configuration for sensitive data
• Input validation via Pydantic models
• Type checking with mypy
• Dependency scanning via GitHub Dependabot

This application uses external APIs:

1. PaddleOCR API: Files are sent to PaddleOCR servers for OCR processing
2. ERINE API: Text is sent to Baidu AIStudio for LLM processing

Important: Review the privacy policies of these services before processing sensitive documents.

• For highly sensitive documents, consider self-hosted OCR solutions
• Implement data retention policies for processed receipts
• Use network security measures (VPN, firewalls) as appropriate

Security updates will be announced via:

• GitHub Releases
• GitHub Security Advisories

We recommend watching the repository for security updates.

Thank you for helping keep Smart Receipt Assistant secure! 🔐