# Security Policy

## Supported Versions

| Version | Supported |
|---------|-----------|
| 1.0.x   | ✅        |

## Reporting a Vulnerability

We take security seriously. If you discover a security issue:

1. **DO NOT** open a public issue
2. Email: security@commercelearninghub.example (placeholder — update with real contact)
3. Include:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if any)

We will acknowledge receipt within 48 hours and provide a timeline for resolution.

## Security Considerations

### This is a Static Site
- No backend, no database, no user accounts
- All processing happens client-side in the browser
- No server-side code execution

### API Keys
- Stored in `/config/config.js`
- Only use free/public API keys
- Never commit private/secret keys
- Use environment variables in deployment if needed

### Dependencies
- Only use trusted, audited CDN sources
- Prefer Subresource Integrity (SRI) hashes
- Keep dependencies updated

### User Data
- All data stored in browser localStorage
- Cleared when user clears browser data
- No data sent to external servers (except API calls)

### Content Security
- No inline scripts (CSP-friendly)
- No eval() or dynamic code execution
- Sanitize all user inputs

## Best Practices for Users

1. Keep your browser updated
2. Use HTTPS (enforced by Cloudflare)
3. Don't share API keys
4. Clear localStorage if concerned about data

## Responsible Disclosure

We follow responsible disclosure principles:
- Report privately first
- Allow reasonable time to fix
- Credit reporters (with permission)

---

Last updated: 2026-07-12