CoStar handles relationship context, so privacy matters.
Please report:
- exposed API keys or local model credentials
- sample data leaks that reveal internal project names or real user data
- repository paths that should not be public
- any bug that could cause cross-user data mixing
Please use a private GitHub Security Advisory when possible:
If you cannot use a GitHub advisory, open a regular GitHub issue that asks for a private security follow-up.
Do not include sensitive details in the issue body. Share only enough context for the maintainers to establish a safer channel.
Please do not post sensitive details in a public issue.
relationship-ingestion/runtime/model-config.local.json- real meeting notes
- real contact exports
- internal customer / project codenames
If a local API key is exposed:
- revoke it with the model provider
- create a new local config file
- delete old run artifacts that contain the key