Lauter handles candidate personal data (names, CVs, interview transcripts, recruiter notes). Security issues are treated as high-priority regardless of the reporter.

Do not open a public GitHub issue for security vulnerabilities.

Report privately through one of:

1. GitHub private vulnerability disclosure — https://github.com/provectus/recruitment-framework-workflow/security/advisories/new
2. Direct message to the engineering lead in Slack.

Include:

• A clear description of the issue.
• Steps to reproduce (or a proof-of-concept).
• The impact you think it has.
• Your suggested remediation, if any.

We will acknowledge within 2 business days and communicate a fix timeline within 5 business days of acknowledgement.

In scope:

• app/backend/ — API authentication, authorization, input validation, JWT handling, Cognito integration.
• app/frontend/ — XSS, CSRF, unsafe URL handling, client-side secret leakage.
• app/lambdas/ — prompt injection leading to data exfiltration, IAM role misuse, inadvertent log leakage of PII.
• infra/ — overly permissive IAM, publicly exposed S3, missing encryption, secrets-in-Terraform.
• CI/CD — compromised workflow tokens, secrets leaked in logs.

Out of scope:

• Denial-of-service attacks or load testing without written authorization.
• Social engineering of Provectus employees.
• Physical attacks.

CVs, transcripts, and candidate identifiers are sensitive. When filing bugs, prompt regressions, or code examples:

• Redact names, emails, phone numbers, and company names before pasting excerpts.
• Prefer short excerpts over full documents.
• Never commit real candidate files to the repo. datasets/ should contain synthetic or anonymized fixtures only.
• If you spot unredacted PII in an issue or PR, comment to flag it and contact the engineering lead to have it removed.

• Dependencies are updated weekly by Dependabot (see .github/dependabot.yml).
• dependency-review.yml runs on every PR to flag newly-introduced vulnerable dependencies.
• Docker base images and GitHub Actions are version-pinned and auto-updated on the same cadence.
• Secrets never live in code or CI config. Production secrets are in AWS Secrets Manager; CI uses OIDC to assume roles, with no long-lived AWS keys in GitHub secrets.