How to report security and conduct

This guide covers how to responsibly report a vulnerability and where the community code of conduct lives.

Canonical source

The single source of truth for security is SECURITY.md and for conduct is CODE_OF_CONDUCT.md, both at the repo root. This page is a summary — on any difference, the root file wins.

Report a vulnerability

1. Do not open a public issue for security vulnerabilities.
2. Report privately following the process described in SECURITY.md.
3. Include: a description of the problem, steps to reproduce, potential impact, and, if you have one, a proposed mitigation.

Security best practices in the stack

• Never commit .env, .sdd/engram.db, API keys, or secrets. They are in .gitignore.
• If a key leaks: revoke it immediately and generate a new one. See Managing API keys.
• Prompt injection via PDF: the stack sanitizes PDF text (extract_pdf_text_sanitized, F03 mitigation) before passing it to an LLM.
• HMAC audit trail: commercial sub-agents chain results with verifiable HMAC.

Code of conduct

Belico's LATAM community follows the CODE_OF_CONDUCT.md. In short: respect, collaboration, and zero tolerance for harassment. Conduct reports are handled confidentially.

Regional compliance

Belico is LATAM-first: compliance with Law 29733 (Peru), LGPD (Brazil), ICMJE (Jan 2026), and Springer Nature 2026. See Ecosystem.

See also

• Managing API keys — secure credential handling.
• Contributing — contribution flow.
• Stack FMEA — security failure modes (F03 prompt injection).