# Security

Report suspected security problems to pzuggler@gmail.com. Do not post sensitive security details in public forums or shared documents.

There is no guaranteed security response time.

## What to Report

Report issues that could affect confidentiality, integrity, or availability of local BEPpoker data, including:

- unsafe handling of imported PokerStars files
- diagnostics exposing unredacted personal or local filesystem details through the redacted diagnostics path
- backup, export, restore, or delete behavior that can corrupt or expose local data
- installer, update, or dependency concerns affecting the desktop build

## What to Include

Include:

- BEPpoker version
- Windows version
- installer filename and checksum when available
- steps to reproduce
- expected and observed behavior
- whether raw hand-history or tournament-summary files are required to reproduce the issue
- redacted diagnostics after reviewing the copied text

Do not include raw PokerStars files, full diagnostics, database files, or screenshots containing sensitive local details unless pzuggler requests them and they have been reviewed.

## Dependency Security

Local dependency policy and audit commands are documented in [docs/dependency-security-policy.md](docs/dependency-security-policy.md). Release builds should run npm audit, Rust advisory checks, license checks, third-party notice generation, and SBOM generation before distribution.

## Installer Signing Status

The initial BEPpoker 0.2.0 installer is distributed unsigned from `https://get.beppoker.com/`. Windows will show an unknown publisher warning until Azure Artifact Signing is introduced in a later release. Advanced users and support investigations can compare its SHA-256 with the separate checksum file served from the official download domain.
