| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| 0.2.x | ❌ |
| < 0.2 | ❌ |
If you discover a security vulnerability in PrivySHA, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, email: ajayrajan727@gmail.com
Include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We aim to acknowledge reports within 48 hours and provide a status update within 7 days.
This policy covers:
- PII detection and masking bypasses
- Prompt injection / jailbreak evasion in PrivySHA's security layer
- Fail-safe behavior failures (data leakage on error paths)
- Dependency vulnerabilities in core
privyshapackage dependencies
Out of scope:
- Vulnerabilities in third-party LLM providers (OpenAI, Anthropic, etc.)
- Applications that disable privacy features (
privacy=False,mode="off") - ML model behavior when using optional
[ml]extras
PrivySHA follows these defaults:
- Privacy-first: PII masking enabled by default
- Fail-safe: Returns original or sanitized content on errors — never crashes the host app
- No hidden downloads: Rule-based mode requires no model downloads
- Local processing: Core security runs locally; no telemetry sent by default
- Keep
privacy=Truein production - Use
mode="strict"for sensitive workloads - Run
pip auditregularly on your environment - Do not log raw prompts containing PII in production
- Validate PrivySHA on your own data before compliance use