If you discover a security vulnerability in this plugin, do NOT open a public GitHub issue.
Instead, please report it privately:
- Email: sandi@vyayasan.com
- LinkedIn DM: Sandi S
- Twitter/X: @vyayasan
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Acknowledgment: Within 48 hours
- Assessment: Within 7 days
- Fix (if confirmed): Within 14 days
This security policy covers:
- The plugin code (commands, skills, templates)
- The risk scoring methodology
- The audit trail format
- Data handling in workflows
This security policy does NOT cover:
- Claude Cowork itself (report to Anthropic)
- Third-party data sources (OFAC, Companies House, etc.)
- Your own deployment environment
This plugin:
- Processes all data locally within Claude Cowork
- Does NOT send data to external servers (beyond the public APIs it queries)
- Does NOT store data outside your local Cowork environment
- Does NOT have network access beyond what Claude Cowork provides
- Public API queries are not encrypted end-to-end — Companies House, OFAC, and sanctions list queries go over HTTPS but the query content (entity names) is visible to those services.
- Audit trail logs contain entity names — Secure your local case folders appropriately.
- Excel/PDF outputs contain PII — Handle generated reports per your firm's data classification policy.
| Version | Supported |
|---|---|
| 1.0.x | Yes |