StratoSort is designed with security and privacy as core principles:

• Local-First Processing: All AI analysis happens locally in-process. No data is sent to external servers.
• Context Isolation: The Electron renderer process runs with strict context isolation and sandbox enabled.
• Input Validation: All IPC communications use Zod schema validation to prevent injection attacks.
• Path Sanitization: File paths are validated against dangerous patterns and system directories.
• No Telemetry by Default: Analytics and telemetry are disabled unless explicitly enabled by the user.

We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:

1. Do NOT create a public GitHub issue
2. Report privately via GitHub Security Advisories (preferred)
   • Use the repository’s Security tab → Report a vulnerability
3. Include:
   • A clear description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact assessment
   • Any suggested fixes (optional but appreciated)

1. Create a GitHub issue with the security label
2. Avoid including exploit code or detailed attack vectors in public issues

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 5 business days
• Resolution Timeline: Depends on severity
  • Critical: 1-7 days
  • High: 7-14 days
  • Medium: 14-30 days
  • Low: Next release cycle

• Download StratoSort only from official sources (GitHub Releases)
• Verify checksums when available
• Keep the application updated to the latest version

• Review imported settings files before applying
• Use strong, unique paths for sensitive document organization
• Regularly backup your settings using the built-in backup feature

• StratoSort runs entirely in-process for AI and vector search
• No external network requests are made during normal operation

• Node integration is disabled in the renderer process
• Context isolation is enabled
• Web security is enabled
• The sandbox is enabled for all renderer processes

• StratoSort requires file system access to organize files
• Dangerous system paths are blocked from organization operations
• Path traversal attacks are mitigated through validation

• Imported settings are validated against a whitelist of allowed keys
• URL patterns are validated to prevent SSRF-style attacks
• Prototype pollution attacks are explicitly blocked

Security updates will be released as patch versions (e.g., 1.0.1, 1.0.2) and announced via:

• GitHub Releases
• In-app update notifications (if auto-update is enabled)

We appreciate the security research community's efforts in making StratoSort more secure. Contributors who report valid security issues will be acknowledged here (with permission).

Last updated: January 2026